10341000x8000000000000000361824Microsoft-Windows-Sysmon/Operationalwin-dc-emcginnis-47905-664.attackrange.local-2022-03-25 17:46:37.638{9D1ED712-FFFD-623D-1F02-000000003B02}48884816C:\Windows\system32\pcalua.exe{9D1ED712-FFFD-623D-2002-000000003B02}4116C:\Windows\System32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a90ff|C:\Windows\System32\windows.storage.dll+a8d75|C:\Windows\System32\windows.storage.dll+a8866|C:\Windows\System32\windows.storage.dll+a9cd8|C:\Windows\System32\windows.storage.dll+a868e|C:\Windows\System32\windows.storage.dll+ab4a5|C:\Windows\System32\windows.storage.dll+ab824|C:\Windows\System32\windows.storage.dll+aae60|C:\Windows\System32\windows.storage.dll+ad68a|C:\Windows\System32\windows.storage.dll+ad442|C:\Windows\System32\SHELL32.dll+3fa6d|C:\Windows\System32\SHELL32.dll+3e606|C:\Windows\System32\SHELL32.dll+80381|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\SHELL32.dll+3d5e3|C:\Windows\System32\SHELL32.dll+3d4ab|C:\Windows\System32\SHELL32.dll+3cdc7|C:\Windows\System32\SHELL32.dll+dcb8e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x8000000000000000361823Microsoft-Windows-Sysmon/Operationalwin-dc-emcginnis-47905-664.attackrange.local-2022-03-25 17:46:37.650{9D1ED712-FFFD-623D-2002-000000003B02}4116C:\Windows\System32\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXE"C:\Windows\System32\calc.exe" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9D1ED712-FFFB-623D-6B1B-180000000000}0x181b6b0HighMD5=2A5CC198FEFC04C2B6B95207A91D3668,SHA256=04FA16D1FBB5F047E7BF9756E8DDC1365AFEAAB22DD4A2C3F03E067B75BED8EA,IMPHASH=3843C3D4A5A7D1045ABE9A4BFCFAAB28{9D1ED712-FFFD-623D-1F02-000000003B02}4888C:\Windows\System32\pcalua.exepcalua.exe -a C:\Windows\System32\calc.exe 10341000x8000000000000000361819Microsoft-Windows-Sysmon/Operationalwin-dc-emcginnis-47905-664.attackrange.local-2022-03-25 17:46:37.638{9D1ED712-FD51-623D-0B00-000000003B02}648308C:\Windows\system32\lsass.exe{9D1ED712-FFFD-623D-1F02-000000003B02}4888C:\Windows\system32\pcalua.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361818Microsoft-Windows-Sysmon/Operationalwin-dc-emcginnis-47905-664.attackrange.local-2022-03-25 17:46:37.638{9D1ED712-FD51-623D-0B00-000000003B02}648308C:\Windows\system32\lsass.exe{9D1ED712-FFFD-623D-1F02-000000003B02}4888C:\Windows\system32\pcalua.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361813Microsoft-Windows-Sysmon/Operationalwin-dc-emcginnis-47905-664.attackrange.local-2022-03-25 17:46:37.623{9D1ED712-FD53-623D-0C00-000000003B02}8522936C:\Windows\system32\svchost.exe{9D1ED712-FFFD-623D-1F02-000000003B02}4888C:\Windows\system32\pcalua.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361802Microsoft-Windows-Sysmon/Operationalwin-dc-emcginnis-47905-664.attackrange.local-2022-03-25 17:46:37.576{9D1ED712-FD51-623D-0500-000000003B02}420412C:\Windows\system32\csrss.exe{9D1ED712-FFFD-623D-1F02-000000003B02}4888C:\Windows\system32\pcalua.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000361801Microsoft-Windows-Sysmon/Operationalwin-dc-emcginnis-47905-664.attackrange.local-2022-03-25 17:46:37.576{9D1ED712-FFFD-623D-1B02-000000003B02}34924552C:\Windows\SYSTEM32\cmd.exe{9D1ED712-FFFD-623D-1F02-000000003B02}4888C:\Windows\system32\pcalua.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\SYSTEM32\cmd.exe+f1e1|C:\Windows\SYSTEM32\cmd.exe+11a37|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+c347|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000361800Microsoft-Windows-Sysmon/Operationalwin-dc-emcginnis-47905-664.attackrange.local-2022-03-25 17:46:37.576{9D1ED712-FFFD-623D-1F02-000000003B02}4888C:\Windows\System32\pcalua.exe10.0.14393.4946 (rs1_release.220131-0721)Program Compatibility AssistantMicrosoft® Windows® Operating SystemMicrosoft Corporation-pcalua.exe -a C:\Windows\System32\calc.exeC:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9D1ED712-FFFB-623D-6B1B-180000000000}0x181b6b0HighMD5=B5931AF4C873CCEEF02C0208B715A565,SHA256=194A95C23EF95E9BFD64F4B2706F61692B36C0E0673592BCE0EE0DD6FFEE9E79,IMPHASH=C11D16E312D93C5AF886445DE7172050{9D1ED712-FFFD-623D-1B02-000000003B02}3492C:\Windows\System32\cmd.exe"cmd.exe" /c "pcalua.exe -a calc.exe & pcalua.exe -a C:\Windows\System32\calc.exe" 10341000x8000000000000000361789Microsoft-Windows-Sysmon/Operationalwin-dc-emcginnis-47905-664.attackrange.local-2022-03-25 17:46:37.560{9D1ED712-FFFD-623D-1D02-000000003B02}48524660C:\Windows\system32\pcalua.exe{9D1ED712-FFFD-623D-1E02-000000003B02}2112C:\Windows\System32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a90ff|C:\Windows\System32\windows.storage.dll+a8d75|C:\Windows\System32\windows.storage.dll+a8866|C:\Windows\System32\windows.storage.dll+a9cd8|C:\Windows\System32\windows.storage.dll+a868e|C:\Windows\System32\windows.storage.dll+ab4a5|C:\Windows\System32\windows.storage.dll+ab824|C:\Windows\System32\windows.storage.dll+aae60|C:\Windows\System32\windows.storage.dll+ad68a|C:\Windows\System32\windows.storage.dll+ad442|C:\Windows\System32\SHELL32.dll+3fa6d|C:\Windows\System32\SHELL32.dll+3e606|C:\Windows\System32\SHELL32.dll+80381|C:\Windows\System32\SHELL32.dll+6731e|C:\Windows\System32\SHELL32.dll+3d5e3|C:\Windows\System32\SHELL32.dll+3d4ab|C:\Windows\System32\SHELL32.dll+3cdc7|C:\Windows\System32\SHELL32.dll+dcb8e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x8000000000000000361788Microsoft-Windows-Sysmon/Operationalwin-dc-emcginnis-47905-664.attackrange.local-2022-03-25 17:46:37.567{9D1ED712-FFFD-623D-1E02-000000003B02}2112C:\Windows\System32\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXE"C:\Windows\System32\calc.exe" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9D1ED712-FFFB-623D-6B1B-180000000000}0x181b6b0HighMD5=2A5CC198FEFC04C2B6B95207A91D3668,SHA256=04FA16D1FBB5F047E7BF9756E8DDC1365AFEAAB22DD4A2C3F03E067B75BED8EA,IMPHASH=3843C3D4A5A7D1045ABE9A4BFCFAAB28{9D1ED712-FFFD-623D-1D02-000000003B02}4852C:\Windows\System32\pcalua.exepcalua.exe -a calc.exe 10341000x8000000000000000361787Microsoft-Windows-Sysmon/Operationalwin-dc-emcginnis-47905-664.attackrange.local-2022-03-25 17:46:37.560{9D1ED712-FD51-623D-0B00-000000003B02}648308C:\Windows\system32\lsass.exe{9D1ED712-FFFD-623D-1D02-000000003B02}4852C:\Windows\system32\pcalua.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361786Microsoft-Windows-Sysmon/Operationalwin-dc-emcginnis-47905-664.attackrange.local-2022-03-25 17:46:37.560{9D1ED712-FD51-623D-0B00-000000003B02}648308C:\Windows\system32\lsass.exe{9D1ED712-FFFD-623D-1D02-000000003B02}4852C:\Windows\system32\pcalua.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361785Microsoft-Windows-Sysmon/Operationalwin-dc-emcginnis-47905-664.attackrange.local-2022-03-25 17:46:37.498{9D1ED712-FD53-623D-0C00-000000003B02}8522936C:\Windows\system32\svchost.exe{9D1ED712-FFFD-623D-1D02-000000003B02}4852C:\Windows\system32\pcalua.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361776Microsoft-Windows-Sysmon/Operationalwin-dc-emcginnis-47905-664.attackrange.local-2022-03-25 17:46:37.466{9D1ED712-FD51-623D-0500-000000003B02}420436C:\Windows\system32\csrss.exe{9D1ED712-FFFD-623D-1D02-000000003B02}4852C:\Windows\system32\pcalua.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000361774Microsoft-Windows-Sysmon/Operationalwin-dc-emcginnis-47905-664.attackrange.local-2022-03-25 17:46:37.466{9D1ED712-FFFD-623D-1B02-000000003B02}34924552C:\Windows\SYSTEM32\cmd.exe{9D1ED712-FFFD-623D-1D02-000000003B02}4852C:\Windows\system32\pcalua.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\SYSTEM32\cmd.exe+f1e1|C:\Windows\SYSTEM32\cmd.exe+11a37|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+8564|C:\Windows\SYSTEM32\cmd.exe+c347|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000361773Microsoft-Windows-Sysmon/Operationalwin-dc-emcginnis-47905-664.attackrange.local-2022-03-25 17:46:37.480{9D1ED712-FFFD-623D-1D02-000000003B02}4852C:\Windows\System32\pcalua.exe10.0.14393.4946 (rs1_release.220131-0721)Program Compatibility AssistantMicrosoft® Windows® Operating SystemMicrosoft Corporation-pcalua.exe -a calc.exe C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9D1ED712-FFFB-623D-6B1B-180000000000}0x181b6b0HighMD5=B5931AF4C873CCEEF02C0208B715A565,SHA256=194A95C23EF95E9BFD64F4B2706F61692B36C0E0673592BCE0EE0DD6FFEE9E79,IMPHASH=C11D16E312D93C5AF886445DE7172050{9D1ED712-FFFD-623D-1B02-000000003B02}3492C:\Windows\System32\cmd.exe"cmd.exe" /c "pcalua.exe -a calc.exe & pcalua.exe -a C:\Windows\System32\calc.exe" 154100x8000000000000000361759Microsoft-Windows-Sysmon/Operationalwin-dc-emcginnis-47905-664.attackrange.local-2022-03-25 17:46:37.459{9D1ED712-FFFD-623D-1B02-000000003B02}3492C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "pcalua.exe -a calc.exe & pcalua.exe -a C:\Windows\System32\calc.exe"C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9D1ED712-FFFB-623D-6B1B-180000000000}0x181b6b0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{9D1ED712-FFFC-623D-1602-000000003B02}4612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAyADAAMgAiACAALQBDAG8AbgBmAGkAcgBtADoAJABmAGEAbABzAGUAIAAtAFQAaQBtAGUAbwB1AHQAUwBlAGMAbwBuAGQAcwAgADMAMAAwACAALQBFAHgAZQBjAHUAdABpAG8AbgBMAG8AZwBQAGEAdABoACAAQwA6AFwAQQB0AG8AbQBpAGMAUgBlAGQAVABlAGEAbQBcAGEAdABjAF8AZQB4AGUAYwB1AHQAaQBvAG4ALgBjAHMAdgA= 10341000x8000000000000000361884Microsoft-Windows-Sysmon/Operationalwin-dc-emcginnis-47905-664.attackrange.local-2022-03-25 17:46:37.794{9D1ED712-FFFD-623D-2302-000000003B02}49964604C:\Windows\system32\forfiles.exe{9D1ED712-FFFD-623D-2502-000000003B02}1512C:\Windows\system32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\forfiles.exe+140b|C:\Windows\system32\forfiles.exe+3e79|C:\Windows\system32\forfiles.exe+391f|C:\Windows\system32\forfiles.exe+2d7f|C:\Windows\system32\forfiles.exe+961d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000361883Microsoft-Windows-Sysmon/Operationalwin-dc-emcginnis-47905-664.attackrange.local-2022-03-25 17:46:37.800{9D1ED712-FFFD-623D-2502-000000003B02}1512C:\Windows\System32\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXE"C:\Windows\system32\calc.exe"c:\windows\system32\ATTACKRANGE\Administrator{9D1ED712-FFFB-623D-6B1B-180000000000}0x181b6b0HighMD5=2A5CC198FEFC04C2B6B95207A91D3668,SHA256=04FA16D1FBB5F047E7BF9756E8DDC1365AFEAAB22DD4A2C3F03E067B75BED8EA,IMPHASH=3843C3D4A5A7D1045ABE9A4BFCFAAB28{9D1ED712-FFFD-623D-2302-000000003B02}4996C:\Windows\System32\forfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c calc.exe 10341000x8000000000000000361879Microsoft-Windows-Sysmon/Operationalwin-dc-emcginnis-47905-664.attackrange.local-2022-03-25 17:46:37.779{9D1ED712-FFFD-623D-2202-000000003B02}47961044C:\Windows\system32\conhost.exe{9D1ED712-FFFD-623D-2302-000000003B02}4996C:\Windows\system32\forfiles.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000361869Microsoft-Windows-Sysmon/Operationalwin-dc-emcginnis-47905-664.attackrange.local-2022-03-25 17:46:37.779{9D1ED712-FD51-623D-0500-000000003B02}420412C:\Windows\system32\csrss.exe{9D1ED712-FFFD-623D-2302-000000003B02}4996C:\Windows\system32\forfiles.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000361868Microsoft-Windows-Sysmon/Operationalwin-dc-emcginnis-47905-664.attackrange.local-2022-03-25 17:46:37.779{9D1ED712-FFFD-623D-2102-000000003B02}45683692C:\Windows\SYSTEM32\cmd.exe{9D1ED712-FFFD-623D-2302-000000003B02}4996C:\Windows\system32\forfiles.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\SYSTEM32\cmd.exe+f1e1|C:\Windows\SYSTEM32\cmd.exe+11a37|C:\Windows\SYSTEM32\cmd.exe+cb0d|C:\Windows\SYSTEM32\cmd.exe+c295|C:\Windows\SYSTEM32\cmd.exe+f916|C:\Windows\SYSTEM32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000361867Microsoft-Windows-Sysmon/Operationalwin-dc-emcginnis-47905-664.attackrange.local-2022-03-25 17:46:37.787{9D1ED712-FFFD-623D-2302-000000003B02}4996C:\Windows\System32\forfiles.exe10.0.14393.0 (rs1_release.160715-1616)ForFiles - Executes a command on selected filesMicrosoft® Windows® Operating SystemMicrosoft Corporationforfiles.exeforfiles /p c:\windows\system32 /m notepad.exe /c calc.exeC:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9D1ED712-FFFB-623D-6B1B-180000000000}0x181b6b0HighMD5=C1597D16DF61070172BFC283C4F3EC82,SHA256=5B2BA93B56D9DA593CBD896FD153414BF6C2C301F5FB034974D1504FA087B955,IMPHASH=2ACDFC919F5F1B5FC41BB9056CE67C7D{9D1ED712-FFFD-623D-2102-000000003B02}4568C:\Windows\System32\cmd.exe"cmd.exe" /c "forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe" 154100x8000000000000000361851Microsoft-Windows-Sysmon/Operationalwin-dc-emcginnis-47905-664.attackrange.local-2022-03-25 17:46:37.753{9D1ED712-FFFD-623D-2102-000000003B02}4568C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c "forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe"C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{9D1ED712-FFFB-623D-6B1B-180000000000}0x181b6b0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{9D1ED712-FFFC-623D-1602-000000003B02}4612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAyADAAMgAiACAALQBDAG8AbgBmAGkAcgBtADoAJABmAGEAbABzAGUAIAAtAFQAaQBtAGUAbwB1AHQAUwBlAGMAbwBuAGQAcwAgADMAMAAwACAALQBFAHgAZQBjAHUAdABpAG8AbgBMAG8AZwBQAGEAdABoACAAQwA6AFwAQQB0AG8AbQBpAGMAUgBlAGQAVABlAGEAbQBcAGEAdABjAF8AZQB4AGUAYwB1AHQAaQBvAG4ALgBjAHMAdgA=