154100x80000000000000009191Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-07-17 09:58:00.179{E4B49A97-C928-6878-0B03-00000000EE03}4168C:\Windows\System32\attrib.exe10.0.14393.0 (rs1_release.160715-1616)Attribute UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationATTRIB.EXEattrib -s -h "C:\Users\Administrator\AppData\Local\Microsoft\Terminal Server Client\Cache\Cache0000.bin"C:\Temp\ATTACKRANGE\Administrator{E4B49A97-B620-6878-C041-040000000000}0x441c02HighMD5=E2B44D665E20F6FF5C453E0BD450D6FB,SHA256=F9F41EE710DCA39EFF229F5277AF4E3A24EDF7ECA6DFB2627AC3FEFC934907B2,IMPHASH=0A65AFF2BC34E4038AA82943ED63C0D7{E4B49A97-C0FC-6878-0F02-00000000EE03}2852C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp"ATTACKRANGE\Administrator 154100x80000000000000009190Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-07-17 09:58:00.163{E4B49A97-C928-6878-0A03-00000000EE03}6192C:\Windows\System32\attrib.exe10.0.14393.0 (rs1_release.160715-1616)Attribute UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationATTRIB.EXEattrib -s -h "C:\Users\Administrator\AppData\Local\Microsoft\Terminal Server Client\Cache\bcache24.bmc"C:\Temp\ATTACKRANGE\Administrator{E4B49A97-B620-6878-C041-040000000000}0x441c02HighMD5=E2B44D665E20F6FF5C453E0BD450D6FB,SHA256=F9F41EE710DCA39EFF229F5277AF4E3A24EDF7ECA6DFB2627AC3FEFC934907B2,IMPHASH=0A65AFF2BC34E4038AA82943ED63C0D7{E4B49A97-C0FC-6878-0F02-00000000EE03}2852C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp"ATTACKRANGE\Administrator 154100x80000000000000009189Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-07-17 09:58:00.147{E4B49A97-C928-6878-0903-00000000EE03}6508C:\Windows\System32\attrib.exe10.0.14393.0 (rs1_release.160715-1616)Attribute UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationATTRIB.EXEattrib -s -h C:\Users\Administrator\documents\Default.rdpC:\Temp\ATTACKRANGE\Administrator{E4B49A97-B620-6878-C041-040000000000}0x441c02HighMD5=E2B44D665E20F6FF5C453E0BD450D6FB,SHA256=F9F41EE710DCA39EFF229F5277AF4E3A24EDF7ECA6DFB2627AC3FEFC934907B2,IMPHASH=0A65AFF2BC34E4038AA82943ED63C0D7{E4B49A97-C0FC-6878-0F02-00000000EE03}2852C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp"ATTACKRANGE\Administrator 154100x80000000000000009052Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-07-17 09:56:13.996{E4B49A97-C8BD-6878-FB02-00000000EE03}3104C:\Windows\System32\attrib.exe10.0.14393.0 (rs1_release.160715-1616)Attribute UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationATTRIB.EXEattrib -s -h C:\Users\Administrator\Local\Microsoft\Terminal Server Client\Cache\Cache0001.binC:\Temp\ATTACKRANGE\Administrator{E4B49A97-B620-6878-C041-040000000000}0x441c02HighMD5=E2B44D665E20F6FF5C453E0BD450D6FB,SHA256=F9F41EE710DCA39EFF229F5277AF4E3A24EDF7ECA6DFB2627AC3FEFC934907B2,IMPHASH=0A65AFF2BC34E4038AA82943ED63C0D7{E4B49A97-C0FC-6878-0F02-00000000EE03}2852C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp"ATTACKRANGE\Administrator 154100x80000000000000009051Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-07-17 09:56:13.982{E4B49A97-C8BD-6878-FA02-00000000EE03}4216C:\Windows\System32\attrib.exe10.0.14393.0 (rs1_release.160715-1616)Attribute UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationATTRIB.EXEattrib -s -h C:\Users\Administrator\Local\Microsoft\Terminal Server Client\Cache\bcache24.bmcC:\Temp\ATTACKRANGE\Administrator{E4B49A97-B620-6878-C041-040000000000}0x441c02HighMD5=E2B44D665E20F6FF5C453E0BD450D6FB,SHA256=F9F41EE710DCA39EFF229F5277AF4E3A24EDF7ECA6DFB2627AC3FEFC934907B2,IMPHASH=0A65AFF2BC34E4038AA82943ED63C0D7{E4B49A97-C0FC-6878-0F02-00000000EE03}2852C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp"ATTACKRANGE\Administrator 154100x80000000000000009050Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-07-17 09:56:13.965{E4B49A97-C8BD-6878-F902-00000000EE03}7020C:\Windows\System32\attrib.exe10.0.14393.0 (rs1_release.160715-1616)Attribute UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationATTRIB.EXEattrib -s -h C:\Users\Administrator\documents\Default.rdpC:\Temp\ATTACKRANGE\Administrator{E4B49A97-B620-6878-C041-040000000000}0x441c02HighMD5=E2B44D665E20F6FF5C453E0BD450D6FB,SHA256=F9F41EE710DCA39EFF229F5277AF4E3A24EDF7ECA6DFB2627AC3FEFC934907B2,IMPHASH=0A65AFF2BC34E4038AA82943ED63C0D7{E4B49A97-C0FC-6878-0F02-00000000EE03}2852C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp"ATTACKRANGE\Administrator 154100x80000000000000008809Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-07-17 09:53:11.760{E4B49A97-C807-6878-E202-00000000EE03}5780C:\Windows\System32\attrib.exe10.0.14393.0 (rs1_release.160715-1616)Attribute UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationATTRIB.EXEattrib -s -h C:\Users\Administrator\Local\Microsoft\Terminal Server Client\Cache\Cache001.binC:\Temp\ATTACKRANGE\Administrator{E4B49A97-B620-6878-C041-040000000000}0x441c02HighMD5=E2B44D665E20F6FF5C453E0BD450D6FB,SHA256=F9F41EE710DCA39EFF229F5277AF4E3A24EDF7ECA6DFB2627AC3FEFC934907B2,IMPHASH=0A65AFF2BC34E4038AA82943ED63C0D7{E4B49A97-C0FC-6878-0F02-00000000EE03}2852C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp"ATTACKRANGE\Administrator 154100x80000000000000008808Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-07-17 09:53:11.744{E4B49A97-C807-6878-E102-00000000EE03}6032C:\Windows\System32\attrib.exe10.0.14393.0 (rs1_release.160715-1616)Attribute UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationATTRIB.EXEattrib -s -h C:\Users\Administrator\Local\Microsoft\Terminal Server Client\Cache\bcache24.bmcC:\Temp\ATTACKRANGE\Administrator{E4B49A97-B620-6878-C041-040000000000}0x441c02HighMD5=E2B44D665E20F6FF5C453E0BD450D6FB,SHA256=F9F41EE710DCA39EFF229F5277AF4E3A24EDF7ECA6DFB2627AC3FEFC934907B2,IMPHASH=0A65AFF2BC34E4038AA82943ED63C0D7{E4B49A97-C0FC-6878-0F02-00000000EE03}2852C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp"ATTACKRANGE\Administrator 154100x80000000000000008807Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-07-17 09:53:11.734{E4B49A97-C807-6878-E002-00000000EE03}4452C:\Windows\System32\attrib.exe10.0.14393.0 (rs1_release.160715-1616)Attribute UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationATTRIB.EXEattrib -s -h C:\Users\Administrator\documents\Default.rdpC:\Temp\ATTACKRANGE\Administrator{E4B49A97-B620-6878-C041-040000000000}0x441c02HighMD5=E2B44D665E20F6FF5C453E0BD450D6FB,SHA256=F9F41EE710DCA39EFF229F5277AF4E3A24EDF7ECA6DFB2627AC3FEFC934907B2,IMPHASH=0A65AFF2BC34E4038AA82943ED63C0D7{E4B49A97-C0FC-6878-0F02-00000000EE03}2852C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp"ATTACKRANGE\Administrator 154100x80000000000000008566Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-07-17 09:50:10.327{E4B49A97-C752-6878-C802-00000000EE03}6284C:\Windows\System32\attrib.exe10.0.14393.0 (rs1_release.160715-1616)Attribute UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationATTRIB.EXEattrib -s -h C:\Users\Administrator\AppData\Roaming\Local\Microsoft\Terminal Server Client\Cache\bcache24.bmcC:\Temp\ATTACKRANGE\Administrator{E4B49A97-B620-6878-C041-040000000000}0x441c02HighMD5=E2B44D665E20F6FF5C453E0BD450D6FB,SHA256=F9F41EE710DCA39EFF229F5277AF4E3A24EDF7ECA6DFB2627AC3FEFC934907B2,IMPHASH=0A65AFF2BC34E4038AA82943ED63C0D7{E4B49A97-C0FC-6878-0F02-00000000EE03}2852C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp"ATTACKRANGE\Administrator 154100x80000000000000008565Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-07-17 09:50:10.318{E4B49A97-C752-6878-C702-00000000EE03}996C:\Windows\System32\attrib.exe10.0.14393.0 (rs1_release.160715-1616)Attribute UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationATTRIB.EXEattrib -s -h C:\Users\Administrator\documents\Default.rdpC:\Temp\ATTACKRANGE\Administrator{E4B49A97-B620-6878-C041-040000000000}0x441c02HighMD5=E2B44D665E20F6FF5C453E0BD450D6FB,SHA256=F9F41EE710DCA39EFF229F5277AF4E3A24EDF7ECA6DFB2627AC3FEFC934907B2,IMPHASH=0A65AFF2BC34E4038AA82943ED63C0D7{E4B49A97-C0FC-6878-0F02-00000000EE03}2852C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp"ATTACKRANGE\Administrator 154100x80000000000000007765Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-07-17 09:23:35.257{E4B49A97-C117-6878-1702-00000000EE03}5440C:\Windows\System32\attrib.exe10.0.14393.0 (rs1_release.160715-1616)Attribute UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationATTRIB.EXEattrib -s -h C:\Users\Administrator\documents\Default.rdpC:\Temp\ATTACKRANGE\Administrator{E4B49A97-B620-6878-C041-040000000000}0x441c02HighMD5=E2B44D665E20F6FF5C453E0BD450D6FB,SHA256=F9F41EE710DCA39EFF229F5277AF4E3A24EDF7ECA6DFB2627AC3FEFC934907B2,IMPHASH=0A65AFF2BC34E4038AA82943ED63C0D7{E4B49A97-C0FC-6878-0F02-00000000EE03}2852C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp"ATTACKRANGE\Administrator