22542200x80000000000000002903Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 13:11:32.057{2cb189ff-60cb-68ac-6908-000000006303}1492wpad9003-C:\Windows\System32\xcopy.exeAR-WIN-DC-2\Administrator 154100x80000000000000002878Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 13:10:35.972{2cb189ff-60cb-68ac-6e08-000000006303}1444C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Desktop\*.txt" "C:\ProgramData\info\" /S /YC:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-60cb-68ac-6508-000000006303}3580C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000002877Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 13:10:35.962{2cb189ff-60cb-68ac-6d08-000000006303}4484C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-60cb-68ac-6508-000000006303}3580C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000002876Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 13:10:35.950{2cb189ff-60cb-68ac-6c08-000000006303}2176C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-60cb-68ac-6508-000000006303}3580C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000002875Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 13:10:35.940{2cb189ff-60cb-68ac-6b08-000000006303}6112C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Downloads\*.txt" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-60cb-68ac-6508-000000006303}3580C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000002874Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 13:10:35.931{2cb189ff-60cb-68ac-6a08-000000006303}1456C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-60cb-68ac-6508-000000006303}3580C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000002873Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 13:10:35.917{2cb189ff-60cb-68ac-6908-000000006303}1492C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-60cb-68ac-6508-000000006303}3580C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000002872Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 13:10:35.899{2cb189ff-60cb-68ac-6808-000000006303}4056C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Documents\*.txt" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-60cb-68ac-6508-000000006303}3580C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000002871Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 13:10:35.884{2cb189ff-60cb-68ac-6708-000000006303}3132C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Documents\*.pdf" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-60cb-68ac-6508-000000006303}3580C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000002870Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 13:10:35.862{2cb189ff-60cb-68ac-6608-000000006303}5852C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Documents\*.doc*" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-60cb-68ac-6508-000000006303}3580C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 4688201331200x8020000000000000174037Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x5a4C:\Windows\System32\xcopy.exe%%19360xdfcNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000174036Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x1184C:\Windows\System32\xcopy.exe%%19360xdfcNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000174035Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x880C:\Windows\System32\xcopy.exe%%19360xdfcNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000174034Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x17e0C:\Windows\System32\xcopy.exe%%19360xdfcNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000174033Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x5b0C:\Windows\System32\xcopy.exe%%19360xdfcNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000174032Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x5d4C:\Windows\System32\xcopy.exe%%19360xdfcNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000174031Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460xfd8C:\Windows\System32\xcopy.exe%%19360xdfcNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000174030Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460xc3cC:\Windows\System32\xcopy.exe%%19360xdfcNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000174029Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x16dcC:\Windows\System32\xcopy.exe%%19360xdfcNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 154100x80000000000000002034Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:54:19.857{2cb189ff-5cfb-68ac-9d05-000000006303}5420C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Desktop\*.txt" "C:\ProgramData\info\" /S /YC:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5cfb-68ac-9405-000000006303}5184C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000002033Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:54:19.847{2cb189ff-5cfb-68ac-9c05-000000006303}4588C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5cfb-68ac-9405-000000006303}5184C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000002032Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:54:19.837{2cb189ff-5cfb-68ac-9b05-000000006303}3792C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5cfb-68ac-9405-000000006303}5184C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000002031Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:54:19.824{2cb189ff-5cfb-68ac-9a05-000000006303}4368C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Downloads\*.txt" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5cfb-68ac-9405-000000006303}5184C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000002030Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:54:19.814{2cb189ff-5cfb-68ac-9905-000000006303}5568C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5cfb-68ac-9405-000000006303}5184C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000002029Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:54:19.804{2cb189ff-5cfb-68ac-9805-000000006303}3564C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5cfb-68ac-9405-000000006303}5184C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000002028Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:54:19.786{2cb189ff-5cfb-68ac-9705-000000006303}4980C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Documents\*.txt" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5cfb-68ac-9405-000000006303}5184C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000002027Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:54:19.770{2cb189ff-5cfb-68ac-9605-000000006303}3796C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Documents\*.pdf" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5cfb-68ac-9405-000000006303}5184C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000002026Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:54:19.753{2cb189ff-5cfb-68ac-9505-000000006303}1012C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Documents\*.doc*" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5cfb-68ac-9405-000000006303}5184C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 4688201331200x8020000000000000172764Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x152cC:\Windows\System32\xcopy.exe%%19360x1440NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172763Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x11ecC:\Windows\System32\xcopy.exe%%19360x1440NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172762Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460xed0C:\Windows\System32\xcopy.exe%%19360x1440NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172761Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x1110C:\Windows\System32\xcopy.exe%%19360x1440NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172760Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x15c0C:\Windows\System32\xcopy.exe%%19360x1440NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172759Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460xdecC:\Windows\System32\xcopy.exe%%19360x1440NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172758Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x1374C:\Windows\System32\xcopy.exe%%19360x1440NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172757Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460xed4C:\Windows\System32\xcopy.exe%%19360x1440NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172756Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x3f4C:\Windows\System32\xcopy.exe%%19360x1440NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172743Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x4d8C:\Windows\System32\xcopy.exe%%19360x13e4NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172742Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x11a0C:\Windows\System32\xcopy.exe%%19360x13e4NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172741Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x139cC:\Windows\System32\xcopy.exe%%19360x13e4NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172740Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x1520C:\Windows\System32\xcopy.exe%%19360x13e4NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172739Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x1190C:\Windows\System32\xcopy.exe%%19360x13e4NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172738Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x830C:\Windows\System32\xcopy.exe%%19360x13e4NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172737Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460xbe0C:\Windows\System32\xcopy.exe%%19360x13e4NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172736Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460xbb0C:\Windows\System32\xcopy.exe%%19360x13e4NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172735Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x678C:\Windows\System32\xcopy.exe%%19360x13e4NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 154100x80000000000000002005Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:52:25.496{2cb189ff-5c89-68ac-8805-000000006303}1240C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Desktop\*.txt" "C:\ProgramData\info\" /S /YC:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5c89-68ac-7f05-000000006303}5092C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000002004Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:52:25.485{2cb189ff-5c89-68ac-8705-000000006303}4512C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5c89-68ac-7f05-000000006303}5092C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000002003Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:52:25.473{2cb189ff-5c89-68ac-8605-000000006303}5020C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5c89-68ac-7f05-000000006303}5092C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000002002Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:52:25.463{2cb189ff-5c89-68ac-8505-000000006303}5408C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Downloads\*.txt" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5c89-68ac-7f05-000000006303}5092C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000002001Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:52:25.453{2cb189ff-5c89-68ac-8405-000000006303}4496C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5c89-68ac-7f05-000000006303}5092C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000002000Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:52:25.443{2cb189ff-5c89-68ac-8305-000000006303}2096C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5c89-68ac-7f05-000000006303}5092C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000001999Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:52:25.423{2cb189ff-5c89-68ac-8205-000000006303}3040C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Documents\*.txt" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5c89-68ac-7f05-000000006303}5092C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000001998Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:52:25.406{2cb189ff-5c89-68ac-8105-000000006303}2992C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Documents\*.pdf" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5c89-68ac-7f05-000000006303}5092C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000001997Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:52:25.390{2cb189ff-5c89-68ac-8005-000000006303}1656C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Documents\*.doc*" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5c89-68ac-7f05-000000006303}5092C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 4688201331200x8020000000000000172721Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460xd60C:\Windows\System32\xcopy.exe%%19360x108cNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172720Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460xa94C:\Windows\System32\xcopy.exe%%19360x108cNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172719Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x17fcC:\Windows\System32\xcopy.exe%%19360x108cNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172718Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x10ccC:\Windows\System32\xcopy.exe%%19360x108cNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172717Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460xbecC:\Windows\System32\xcopy.exe%%19360x108cNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172716Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460xcd8C:\Windows\System32\xcopy.exe%%19360x108cNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 154100x80000000000000001976Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:51:08.631{2cb189ff-5c3c-68ac-7205-000000006303}3424C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Desktop\*.txt" "C:\ProgramData\info\" /S /IC:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5a95-68ac-3d05-000000006303}4236C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /I"AR-WIN-DC-2\Administrator 154100x80000000000000001975Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:51:08.622{2cb189ff-5c3c-68ac-7105-000000006303}2708C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Desktop\*.pdf" "C:\ProgramData\info\" /S /I C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5a95-68ac-3d05-000000006303}4236C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /I"AR-WIN-DC-2\Administrator 154100x80000000000000001974Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:51:08.612{2cb189ff-5c3c-68ac-7005-000000006303}6140C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Desktop\*.doc*" "C:\ProgramData\info\" /S /I C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5a95-68ac-3d05-000000006303}4236C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /I"AR-WIN-DC-2\Administrator 154100x80000000000000001973Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:51:08.601{2cb189ff-5c3c-68ac-6f05-000000006303}4300C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Downloads\*.txt" "C:\ProgramData\info\" /S /I C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5a95-68ac-3d05-000000006303}4236C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /I"AR-WIN-DC-2\Administrator 154100x80000000000000001972Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:51:08.591{2cb189ff-5c3c-68ac-6e05-000000006303}3052C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Downloads\*.pdf" "C:\ProgramData\info\" /S /I C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5a95-68ac-3d05-000000006303}4236C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /I"AR-WIN-DC-2\Administrator 154100x80000000000000001971Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:51:08.581{2cb189ff-5c3c-68ac-6d05-000000006303}3288C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Downloads\*.doc*" "C:\ProgramData\info\" /S /I C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5a95-68ac-3d05-000000006303}4236C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /I"AR-WIN-DC-2\Administrator 4688201331200x8020000000000000172671Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460xbd0C:\Windows\System32\xcopy.exe%%19360x108cNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172670Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x3b0C:\Windows\System32\xcopy.exe%%19360x108cNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172669Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x16c0C:\Windows\System32\xcopy.exe%%19360x108cNULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 154100x80000000000000001919Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:44:05.158{2cb189ff-5a95-68ac-4005-000000006303}3024C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Documents\*.txt" "C:\ProgramData\info\" /S /I C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5a95-68ac-3d05-000000006303}4236C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /I"AR-WIN-DC-2\Administrator 154100x80000000000000001918Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:44:05.141{2cb189ff-5a95-68ac-3f05-000000006303}944C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Documents\*.pdf" "C:\ProgramData\info\" /S /I C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5a95-68ac-3d05-000000006303}4236C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /I"AR-WIN-DC-2\Administrator 154100x80000000000000001917Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:44:05.124{2cb189ff-5a95-68ac-3e05-000000006303}5824C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Documents\*.doc*" "C:\ProgramData\info\" /S /I C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5a95-68ac-3d05-000000006303}4236C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /I"AR-WIN-DC-2\Administrator 4688201331200x8020000000000000172646Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x165cC:\Windows\System32\xcopy.exe%%19360x1128NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172645Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460xf80C:\Windows\System32\xcopy.exe%%19360x1128NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172644Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460xa70C:\Windows\System32\xcopy.exe%%19360x1128NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172643Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x86cC:\Windows\System32\xcopy.exe%%19360x1128NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172642Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x178cC:\Windows\System32\xcopy.exe%%19360x1128NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172641Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460xe10C:\Windows\System32\xcopy.exe%%19360x1128NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172640Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460xd34C:\Windows\System32\xcopy.exe%%19360x1128NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172639Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x112cC:\Windows\System32\xcopy.exe%%19360x1128NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172638Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x15e8C:\Windows\System32\xcopy.exe%%19360x1128NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 154100x80000000000000001887Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:41:05.333{2cb189ff-59e1-68ac-2705-000000006303}5724C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Desktop\*.txt" "C:\ProgramData\info\" /S /YC:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-59e1-68ac-1e05-000000006303}4392C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000001886Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:41:05.321{2cb189ff-59e1-68ac-2605-000000006303}3968C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-59e1-68ac-1e05-000000006303}4392C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000001885Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:41:05.310{2cb189ff-59e1-68ac-2505-000000006303}2672C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-59e1-68ac-1e05-000000006303}4392C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000001884Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:41:05.300{2cb189ff-59e1-68ac-2405-000000006303}2156C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Downloads\*.txt" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-59e1-68ac-1e05-000000006303}4392C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000001883Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:41:05.276{2cb189ff-59e1-68ac-2305-000000006303}6028C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-59e1-68ac-1e05-000000006303}4392C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000001882Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:41:05.264{2cb189ff-59e1-68ac-2205-000000006303}3600C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-59e1-68ac-1e05-000000006303}4392C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000001881Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:41:05.246{2cb189ff-59e1-68ac-2105-000000006303}3380C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Documents\*.txt" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-59e1-68ac-1e05-000000006303}4392C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000001880Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:41:05.225{2cb189ff-59e1-68ac-2005-000000006303}4396C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Documents\*.pdf" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-59e1-68ac-1e05-000000006303}4392C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000001879Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:41:05.199{2cb189ff-59e1-68ac-1f05-000000006303}5608C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Documents\*.doc*" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-59e1-68ac-1e05-000000006303}4392C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 4688201331200x8020000000000000172621Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x1540C:\Windows\System32\xcopy.exe%%19360x15b0NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172620Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x10d0C:\Windows\System32\xcopy.exe%%19360x15b0NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172619Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460xe18C:\Windows\System32\xcopy.exe%%19360x15b0NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172618Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x818C:\Windows\System32\xcopy.exe%%19360x15b0NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172617Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460xa9cC:\Windows\System32\xcopy.exe%%19360x15b0NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172616Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x1688C:\Windows\System32\xcopy.exe%%19360x15b0NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172615Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x1288C:\Windows\System32\xcopy.exe%%19360x15b0NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172614Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x1048C:\Windows\System32\xcopy.exe%%19360x15b0NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172613Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460xd4cC:\Windows\System32\xcopy.exe%%19360x15b0NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 154100x80000000000000001854Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:38:44.472{2cb189ff-5954-68ac-0e05-000000006303}5440C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Desktop\*.txt" "C:\ProgramData\info\" /S /YC:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5954-68ac-0505-000000006303}5552C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000001853Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:38:44.460{2cb189ff-5954-68ac-0d05-000000006303}4304C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5954-68ac-0505-000000006303}5552C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000001852Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:38:44.451{2cb189ff-5954-68ac-0c05-000000006303}3608C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5954-68ac-0505-000000006303}5552C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000001851Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:38:44.442{2cb189ff-5954-68ac-0b05-000000006303}2072C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Downloads\*.txt" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5954-68ac-0505-000000006303}5552C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000001850Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:38:44.432{2cb189ff-5954-68ac-0a05-000000006303}2716C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5954-68ac-0505-000000006303}5552C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000001849Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:38:44.420{2cb189ff-5954-68ac-0905-000000006303}5768C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5954-68ac-0505-000000006303}5552C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000001848Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:38:44.401{2cb189ff-5954-68ac-0805-000000006303}4744C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Documents\*.txt" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5954-68ac-0505-000000006303}5552C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000001847Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:38:44.381{2cb189ff-5954-68ac-0705-000000006303}4168C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Documents\*.pdf" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5954-68ac-0505-000000006303}5552C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000001846Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:38:44.360{2cb189ff-5954-68ac-0605-000000006303}3404C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Documents\*.doc*" "C:\ProgramData\info\" /S /Y C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5954-68ac-0505-000000006303}5552C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /Y && xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /Y"AR-WIN-DC-2\Administrator 154100x80000000000000001796Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:33:10.228{2cb189ff-5806-68ac-dd04-000000006303}4952C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Desktop\*.txt" "C:\ProgramData\info\" /S /IC:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5806-68ac-d404-000000006303}4304C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /I"AR-WIN-DC-2\Administrator 154100x80000000000000001795Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:33:10.218{2cb189ff-5806-68ac-dc04-000000006303}3588C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Desktop\*.pdf" "C:\ProgramData\info\" /S /I C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5806-68ac-d404-000000006303}4304C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /I"AR-WIN-DC-2\Administrator 154100x80000000000000001794Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:33:10.205{2cb189ff-5806-68ac-db04-000000006303}480C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Desktop\*.doc*" "C:\ProgramData\info\" /S /I C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5806-68ac-d404-000000006303}4304C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /I"AR-WIN-DC-2\Administrator 154100x80000000000000001793Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:33:10.195{2cb189ff-5806-68ac-da04-000000006303}6132C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Downloads\*.txt" "C:\ProgramData\info\" /S /I C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5806-68ac-d404-000000006303}4304C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /I"AR-WIN-DC-2\Administrator 154100x80000000000000001792Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:33:10.182{2cb189ff-5806-68ac-d904-000000006303}1884C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Downloads\*.pdf" "C:\ProgramData\info\" /S /I C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5806-68ac-d404-000000006303}4304C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /I"AR-WIN-DC-2\Administrator 154100x80000000000000001791Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:33:10.170{2cb189ff-5806-68ac-d804-000000006303}3144C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Downloads\*.doc*" "C:\ProgramData\info\" /S /I C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5806-68ac-d404-000000006303}4304C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /I"AR-WIN-DC-2\Administrator 154100x80000000000000001790Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:33:10.147{2cb189ff-5806-68ac-d704-000000006303}5244C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Documents\*.txt" "C:\ProgramData\info\" /S /I C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5806-68ac-d404-000000006303}4304C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /I"AR-WIN-DC-2\Administrator 154100x80000000000000001789Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:33:10.125{2cb189ff-5806-68ac-d604-000000006303}5224C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Documents\*.pdf" "C:\ProgramData\info\" /S /I C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5806-68ac-d404-000000006303}4304C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /I"AR-WIN-DC-2\Administrator 154100x80000000000000001788Microsoft-Windows-Sysmon/Operationalar-win-dc-2-2025-08-25 12:33:10.099{2cb189ff-5806-68ac-d504-000000006303}2700C:\Windows\System32\xcopy.exe10.0.17763.1 (WinBuild.160101.0800)Extended Copy UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationXCOPY.EXExcopy "C:\Users\Administrator\Documents\*.doc*" "C:\ProgramData\info\" /S /I C:\Temp\1\AR-WIN-DC-2\Administrator{2cb189ff-4fa4-68ac-4626-180000000000}0x1826462HighMD5=ACBA3C52830DD747DEF2241E3151CCB8,SHA256=1C58E29C25B4065893DD4FBB6ED27BD8A04828A30396D581D7C641D21E910DC8,IMPHASH=35EA203988B3D2B863842077BCE520C7{2cb189ff-5806-68ac-d404-000000006303}4304C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "xcopy "C:\Users\%username%\Documents\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Documents\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Downloads\*.txt" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.doc*" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.pdf" "C:\ProgramData\info\" /S /I & xcopy "C:\Users\%username%\Desktop\*.txt" "C:\ProgramData\info\" /S /I"AR-WIN-DC-2\Administrator 4688201331200x8020000000000000172572Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x1358C:\Windows\System32\xcopy.exe%%19360x10d0NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172571Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460xe04C:\Windows\System32\xcopy.exe%%19360x10d0NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172570Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x1e0C:\Windows\System32\xcopy.exe%%19360x10d0NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172569Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x17f4C:\Windows\System32\xcopy.exe%%19360x10d0NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172568Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x75cC:\Windows\System32\xcopy.exe%%19360x10d0NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172567Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460xc48C:\Windows\System32\xcopy.exe%%19360x10d0NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172566Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x147cC:\Windows\System32\xcopy.exe%%19360x10d0NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172565Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460x1468C:\Windows\System32\xcopy.exe%%19360x10d0NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level 4688201331200x8020000000000000172564Securityar-win-dc-2AR-WIN-DC-2\AdministratorAdministratorAR-WIN-DC-20x1826460xa8cC:\Windows\System32\xcopy.exe%%19360x10d0NULL SID--0x0C:\Windows\System32\cmd.exeMandatory Label\High Mandatory Level