154100x8000000000000000347935Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-09-19 14:51:35.934{f74388cf-6df7-68cd-b83c-000000006003}4068C:\Windows\System32\expand.exe5.00 (WinBuild.160101.0800)LZ Expansion UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationexpandexpand "C:\Users\ADMINI~1\AppData\Local\Temp\2\art-expand-test.cab" -F:* . C:\Users\ADMINI~1\AppData\Local\Temp\2\art-expand-out\ATTACKRANGE\Administrator{f74388cf-d8e3-68ca-c7c5-040000000000}0x4c5c72HighMD5=7395D1ACEAC1FD7790DD59F12DFCDEFB,SHA256=3D263DF4D7AB8B2B408713ED42B87EC355E33617B8B8249FCBD8BE52D1A50F25,IMPHASH=8BB8291E08A891E3DCA4B595B2F1D718{f74388cf-6df7-68cd-b53c-000000006003}3828C:\Windows\System32\cmd.exe"cmd.exe" /c mkdir "%TEMP%\art-expand-out" >nul 2>&1 & echo hello from atomic red team > "C:\AtomicRedTeam\atomics\T1140\src\art-expand-source.txt" & makecab "C:\AtomicRedTeam\atomics\T1140\src\art-expand-source.txt" "%TEMP%\art-expand-test.cab" & pushd "%TEMP%\art-expand-out" & expand "%TEMP%\art-expand-test.cab" -F:* . & popdATTACKRANGE\Administrator 154100x8000000000000000347908Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-09-19 14:50:01.613{f74388cf-6d99-68cd-9a3c-000000006003}4744C:\Windows\System32\expand.exe5.00 (WinBuild.160101.0800)LZ Expansion UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationexpandexpand "C:\Users\ADMINI~1\AppData\Local\Temp\2\art-expand-test.cab" -F:* . C:\Users\ADMINI~1\AppData\Local\Temp\2\art-expand-out\ATTACKRANGE\Administrator{f74388cf-d8e3-68ca-c7c5-040000000000}0x4c5c72HighMD5=7395D1ACEAC1FD7790DD59F12DFCDEFB,SHA256=3D263DF4D7AB8B2B408713ED42B87EC355E33617B8B8249FCBD8BE52D1A50F25,IMPHASH=8BB8291E08A891E3DCA4B595B2F1D718{f74388cf-6d99-68cd-973c-000000006003}8144C:\Windows\System32\cmd.exe"cmd.exe" /c mkdir "%TEMP%\art-expand-out" >nul 2>&1 & echo hello from atomic red team > "C:\AtomicRedTeam\atomics\T1140\src\art-expand-source.txt" & makecab "C:\AtomicRedTeam\atomics\T1140\src\art-expand-source.txt" "%TEMP%\art-expand-test.cab" & pushd "%TEMP%\art-expand-out" & expand "%TEMP%\art-expand-test.cab" -F:* . & popdATTACKRANGE\Administrator 154100x8000000000000000347894Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-09-19 14:48:56.532{f74388cf-6d58-68cd-8a3c-000000006003}7400C:\Windows\System32\expand.exe5.00 (WinBuild.160101.0800)LZ Expansion UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationexpandexpand "C:\Users\ADMINI~1\AppData\Local\Temp\2\art-expand-test.cab" -F:* . C:\Users\ADMINI~1\AppData\Local\Temp\2\art-expand-out\ATTACKRANGE\Administrator{f74388cf-d8e3-68ca-c7c5-040000000000}0x4c5c72HighMD5=7395D1ACEAC1FD7790DD59F12DFCDEFB,SHA256=3D263DF4D7AB8B2B408713ED42B87EC355E33617B8B8249FCBD8BE52D1A50F25,IMPHASH=8BB8291E08A891E3DCA4B595B2F1D718{f74388cf-6d58-68cd-873c-000000006003}6520C:\Windows\System32\cmd.exe"cmd.exe" /c mkdir "%TEMP%\art-expand-out" >nul 2>&1 & echo hello from atomic red team > "C:\AtomicRedTeam\atomics\T1140\src\art-expand-source.txt" & makecab "C:\AtomicRedTeam\atomics\T1140\src\art-expand-source.txt" "%TEMP%\art-expand-test.cab" & pushd "%TEMP%\art-expand-out" & expand "%TEMP%\art-expand-test.cab" -F:* . & popdATTACKRANGE\Administrator 154100x8000000000000000347884Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-09-19 14:48:37.644{f74388cf-6d45-68cd-7f3c-000000006003}6972C:\Windows\System32\expand.exe5.00 (WinBuild.160101.0800)LZ Expansion UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationexpandexpand "C:\ProgramData\wonder.cab" -F:* . C:\ProgramData\ATTACKRANGE\Administrator{f74388cf-d8e3-68ca-c7c5-040000000000}0x4c5c72HighMD5=7395D1ACEAC1FD7790DD59F12DFCDEFB,SHA256=3D263DF4D7AB8B2B408713ED42B87EC355E33617B8B8249FCBD8BE52D1A50F25,IMPHASH=8BB8291E08A891E3DCA4B595B2F1D718{f74388cf-6d45-68cd-7c3c-000000006003}2736C:\Windows\System32\cmd.exe"cmd.exe" /c mkdir "C:\ProgramData" >nul 2>&1 & echo hello from atomic red team > "C:\AtomicRedTeam\atomics\T1140\src\art-expand-source.txt" & makecab "C:\AtomicRedTeam\atomics\T1140\src\art-expand-source.txt" "C:\ProgramData\wonder.cab" & pushd "C:\ProgramData" & expand "C:\ProgramData\wonder.cab" -F:* . & popdATTACKRANGE\Administrator 154100x8000000000000000347879Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-09-19 14:48:05.159{f74388cf-6d25-68cd-793c-000000006003}1884C:\Windows\System32\expand.exe5.00 (WinBuild.160101.0800)LZ Expansion UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationexpandexpand "C:\Users\ADMINI~1\AppData\Local\Temp\2\art-expand-test.cab" -F:* . C:\Users\ADMINI~1\AppData\Local\Temp\2\art-expand-out\ATTACKRANGE\Administrator{f74388cf-d8e3-68ca-c7c5-040000000000}0x4c5c72HighMD5=7395D1ACEAC1FD7790DD59F12DFCDEFB,SHA256=3D263DF4D7AB8B2B408713ED42B87EC355E33617B8B8249FCBD8BE52D1A50F25,IMPHASH=8BB8291E08A891E3DCA4B595B2F1D718{f74388cf-6d25-68cd-763c-000000006003}2648C:\Windows\System32\cmd.exe"cmd.exe" /c mkdir "%TEMP%\art-expand-out" >nul 2>&1 & echo hello from atomic red team > "C:\AtomicRedTeam\atomics\T1140\src\art-expand-source.txt" & makecab "C:\AtomicRedTeam\atomics\T1140\src\art-expand-source.txt" "%TEMP%\art-expand-test.cab" & pushd "%TEMP%\art-expand-out" & expand "%TEMP%\art-expand-test.cab" -F:* . & popdATTACKRANGE\Administrator 154100x8000000000000000347866Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-09-19 14:47:46.562{f74388cf-6d12-68cd-6a3c-000000006003}7484C:\Windows\System32\expand.exe5.00 (WinBuild.160101.0800)LZ Expansion UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationexpandexpand "C:\ProgramData\wonder.cab" -F:* . C:\ProgramData\ATTACKRANGE\Administrator{f74388cf-d8e3-68ca-c7c5-040000000000}0x4c5c72HighMD5=7395D1ACEAC1FD7790DD59F12DFCDEFB,SHA256=3D263DF4D7AB8B2B408713ED42B87EC355E33617B8B8249FCBD8BE52D1A50F25,IMPHASH=8BB8291E08A891E3DCA4B595B2F1D718{f74388cf-6d12-68cd-673c-000000006003}5408C:\Windows\System32\cmd.exe"cmd.exe" /c mkdir "C:\ProgramData\" >nul 2>&1 & echo hello from atomic red team > "C:\AtomicRedTeam\atomics\T1140\src\art-expand-source.txt" & makecab "C:\AtomicRedTeam\atomics\T1140\src\art-expand-source.txt" "C:\ProgramData\wonder.cab" & pushd "C:\ProgramData\" & expand "C:\ProgramData\wonder.cab" -F:* . & popdATTACKRANGE\Administrator 154100x8000000000000000347861Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-09-19 14:47:16.939{f74388cf-6cf4-68cd-643c-000000006003}5256C:\Windows\System32\expand.exe5.00 (WinBuild.160101.0800)LZ Expansion UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationexpandexpand "C:\ProgramData\wonder.cab" -F:* . C:\ProgramData\test\ATTACKRANGE\Administrator{f74388cf-d8e3-68ca-c7c5-040000000000}0x4c5c72HighMD5=7395D1ACEAC1FD7790DD59F12DFCDEFB,SHA256=3D263DF4D7AB8B2B408713ED42B87EC355E33617B8B8249FCBD8BE52D1A50F25,IMPHASH=8BB8291E08A891E3DCA4B595B2F1D718{f74388cf-6cf4-68cd-613c-000000006003}7572C:\Windows\System32\cmd.exe"cmd.exe" /c mkdir "C:\ProgramData\test" >nul 2>&1 & echo hello from atomic red team > "C:\AtomicRedTeam\atomics\T1140\src\art-expand-source.txt" & makecab "C:\AtomicRedTeam\atomics\T1140\src\art-expand-source.txt" "C:\ProgramData\wonder.cab" & pushd "C:\ProgramData\test" & expand "C:\ProgramData\wonder.cab" -F:* . & popdATTACKRANGE\Administrator 154100x8000000000000000347848Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-09-19 14:46:33.392{f74388cf-6cc9-68cd-553c-000000006003}2068C:\Windows\System32\expand.exe5.00 (WinBuild.160101.0800)LZ Expansion UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationexpandexpand "C:\ProgramData\wonder.cab" -F:* . C:\ProgramData\ATTACKRANGE\Administrator{f74388cf-d8e3-68ca-c7c5-040000000000}0x4c5c72HighMD5=7395D1ACEAC1FD7790DD59F12DFCDEFB,SHA256=3D263DF4D7AB8B2B408713ED42B87EC355E33617B8B8249FCBD8BE52D1A50F25,IMPHASH=8BB8291E08A891E3DCA4B595B2F1D718{f74388cf-6cc9-68cd-523c-000000006003}5580C:\Windows\System32\cmd.exe"cmd.exe" /c mkdir "C:\ProgramData" >nul 2>&1 & echo hello from atomic red team > "C:\AtomicRedTeam\atomics\T1140\src\art-expand-source.txt" & makecab "C:\AtomicRedTeam\atomics\T1140\src\art-expand-source.txt" "C:\ProgramData\wonder.cab" & pushd "C:\ProgramData" & expand "C:\ProgramData\wonder.cab" -F:* . & popdATTACKRANGE\Administrator 154100x8000000000000000347843Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-09-19 14:45:58.890{f74388cf-6ca6-68cd-4e3c-000000006003}1040C:\Windows\System32\expand.exe5.00 (WinBuild.160101.0800)LZ Expansion UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationexpandexpand "C:\ProgramData\wonder.cab" -F:* . C:\ProgramData\ATTACKRANGE\Administrator{f74388cf-d8e3-68ca-c7c5-040000000000}0x4c5c72HighMD5=7395D1ACEAC1FD7790DD59F12DFCDEFB,SHA256=3D263DF4D7AB8B2B408713ED42B87EC355E33617B8B8249FCBD8BE52D1A50F25,IMPHASH=8BB8291E08A891E3DCA4B595B2F1D718{f74388cf-6ca6-68cd-4b3c-000000006003}2408C:\Windows\System32\cmd.exe"cmd.exe" /c mkdir "C:\ProgramData" >nul 2>&1 & echo hello from atomic red team > "C:\AtomicRedTeam\atomics\T1140\src\art-expand-source.txt" & makecab "C:\AtomicRedTeam\atomics\T1140\src\art-expand-source.txt" "C:\ProgramData\wonder.cab" & pushd "C:\ProgramData" & expand "C:\ProgramData\wonder.cab" -F:* . & popdATTACKRANGE\Administrator 154100x8000000000000000347823Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-09-19 14:43:29.162{f74388cf-6c11-68cd-393c-000000006003}4052C:\Windows\System32\expand.exe5.00 (WinBuild.160101.0800)LZ Expansion UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationexpandexpand "C:\ProgramData\wonder.cab" -F:* "C:\ProgramData\\"C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{f74388cf-d8e3-68ca-c7c5-040000000000}0x4c5c72HighMD5=7395D1ACEAC1FD7790DD59F12DFCDEFB,SHA256=3D263DF4D7AB8B2B408713ED42B87EC355E33617B8B8249FCBD8BE52D1A50F25,IMPHASH=8BB8291E08A891E3DCA4B595B2F1D718{f74388cf-6c11-68cd-363c-000000006003}6864C:\Windows\System32\cmd.exe"cmd.exe" /c mkdir "C:\ProgramData" >nul 2>&1 & echo hello from atomic red team > "C:\ProgramData\art-expand-source.txt" & makecab "C:\ProgramData\art-expand-source.txt" "C:\ProgramData\wonder.cab" & expand "C:\ProgramData\wonder.cab" -F:* "C:\ProgramData\\"ATTACKRANGE\Administrator 154100x8000000000000000347803Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-09-19 14:40:45.949{f74388cf-6b6d-68cd-233c-000000006003}4232C:\Windows\System32\expand.exe5.00 (WinBuild.160101.0800)LZ Expansion UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationexpand"C:\Windows\system32\expand.exe" C:\ProgramData\wonder.cab -F:* C:\ProgramDataC:\Users\Administrator\ATTACKRANGE\Administrator{f74388cf-d8e3-68ca-c7c5-040000000000}0x4c5c72HighMD5=7395D1ACEAC1FD7790DD59F12DFCDEFB,SHA256=3D263DF4D7AB8B2B408713ED42B87EC355E33617B8B8249FCBD8BE52D1A50F25,IMPHASH=8BB8291E08A891E3DCA4B595B2F1D718{f74388cf-6651-68cd-583b-000000006003}76C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ATTACKRANGE\Administrator 154100x8000000000000000347735Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-09-19 14:30:01.308{f74388cf-68e9-68cd-d93b-000000006003}8188C:\Windows\System32\expand.exe5.00 (WinBuild.160101.0800)LZ Expansion UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationexpandexpand "C:\Users\ADMINI~1\AppData\Local\Temp\2\art-expand-test.cab" -F:* "C:\Users\ADMINI~1\AppData\Local\Temp\2\art-expand-out"C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{f74388cf-d8e3-68ca-c7c5-040000000000}0x4c5c72HighMD5=7395D1ACEAC1FD7790DD59F12DFCDEFB,SHA256=3D263DF4D7AB8B2B408713ED42B87EC355E33617B8B8249FCBD8BE52D1A50F25,IMPHASH=8BB8291E08A891E3DCA4B595B2F1D718{f74388cf-68e9-68cd-d63b-000000006003}4304C:\Windows\System32\cmd.exe"cmd.exe" /c echo hello from atomic red team > "%TEMP%\art-expand-source.txt" & makecab "%TEMP%\art-expand-source.txt" "%TEMP%\art-expand-test.cab" & if not exist "%TEMP%\art-expand-out" mkdir "%TEMP%\art-expand-out" & expand "%TEMP%\art-expand-test.cab" -F:* "%TEMP%\art-expand-out"ATTACKRANGE\Administrator 154100x8000000000000000347718Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-09-19 14:28:33.097{f74388cf-6891-68cd-c73b-000000006003}1228C:\Windows\System32\expand.exe5.00 (WinBuild.160101.0800)LZ Expansion UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationexpandexpand "C:\Users\ADMINI~1\AppData\Local\Temp\2\art-expand-test.cab" -F:* "C:\Users\ADMINI~1\AppData\Local\Temp\2"C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{f74388cf-d8e3-68ca-c7c5-040000000000}0x4c5c72HighMD5=7395D1ACEAC1FD7790DD59F12DFCDEFB,SHA256=3D263DF4D7AB8B2B408713ED42B87EC355E33617B8B8249FCBD8BE52D1A50F25,IMPHASH=8BB8291E08A891E3DCA4B595B2F1D718{f74388cf-6891-68cd-c43b-000000006003}7844C:\Windows\System32\cmd.exe"cmd.exe" /c echo hello from atomic red team > "%TEMP%\art-expand-source.txt" & makecab "%TEMP%\art-expand-source.txt" "%TEMP%\art-expand-test.cab" & expand "%TEMP%\art-expand-test.cab" -F:* "%TEMP%"ATTACKRANGE\Administrator 154100x8000000000000000347672Microsoft-Windows-Sysmon/Operationalar-win-dc.attackrange.local-2025-09-19 14:24:21.826{f74388cf-6795-68cd-993b-000000006003}1316C:\Windows\System32\expand.exe5.00 (WinBuild.160101.0800)LZ Expansion UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationexpandexpand "C:\Users\ADMINI~1\AppData\Local\Temp\2\art-expand-test.cab" -F:* "C:\Users\ADMINI~1\AppData\Local\Temp\2"C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{f74388cf-d8e3-68ca-c7c5-040000000000}0x4c5c72HighMD5=7395D1ACEAC1FD7790DD59F12DFCDEFB,SHA256=3D263DF4D7AB8B2B408713ED42B87EC355E33617B8B8249FCBD8BE52D1A50F25,IMPHASH=8BB8291E08A891E3DCA4B595B2F1D718{f74388cf-6795-68cd-973b-000000006003}1044C:\Windows\System32\cmd.exe"cmd.exe" /c expand "%TEMP%\art-expand-test.cab" -F:* "%TEMP%"ATTACKRANGE\Administrator