154100x8000000000000000150703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:20:43.985{89C4FCAF-58AB-6387-2514-000000009402}6568C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /S /D /c" dir /s/b /A:-D RDCMan.settings == *.rdg == SCClient.exe == *_history == .sudo_as_admin_successful == .profile == *bashrc == httpd.conf == *.plan == .htpasswd == .git-credentials == *.rhosts == hosts.equiv == Dockerfile == docker-compose.yml == appcmd.exe == TypedURLs == TypedURLsTime == History == Bookmarks == Cookies == "Login Data" == places.sqlite == key3.db == key4.db == credentials == credentials.db == access_tokens.db == accessTokens.json == legacy_credentials == azureProfile.json == unattend.txt == access.log == error.log == *.gpg == *.pgp == *config*.php == elasticsearch.y*ml == kibana.y*ml == *.p12 == *.der == *.csr == *.cer == known_hosts == id_rsa == id_dsa == *.ovpn == anaconda-ks.cfg == hostapd.conf == rsyncd.conf == cesi.conf == supervisord.conf == tomcat-users.xml == *.kdbx == KeePass.config == Ntds.dit == SAM == SYSTEM == FreeSSHDservice.ini == sysprep.inf == sysprep.xml == unattend.xml == unattended.xml == *vnc*.ini == *vnc*.c*nf* == *vnc*.txt == *vnc*.xml == groups.xml == services.xml == scheduledtasks.xml == printers.xml == drives.xml == datasources.xml == php.ini == https.conf == https-xampp.conf == httpd.conf == my.ini == my.cnf == access.log == error.log == server.xml == SiteList.xml == ConsoleHost_history.txt == setupinfo == setupinfo.bak 2>nul"C:\ATTACKRANGE\Administrator{89C4FCAF-46B7-6387-1220-3C0000000000}0x3c20122HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{89C4FCAF-57DF-6387-6308-000000009402}5892C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Users\Public" 154100x8000000000000000150614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-657.attackrange.local-2022-11-30 13:20:43.732{89C4FCAF-58AB-6387-2014-000000009402}6648C:\Windows\System32\findstr.exe10.0.14393.0 (rs1_release.160715-1616)Find String (QGREP) UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationFINDSTR.EXEfindstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername"C:\Documents and Settings\ATTACKRANGE\Administrator{89C4FCAF-46B7-6387-1220-3C0000000000}0x3c20122HighMD5=15B171EC73E7B71F4EBB4247E716271E,SHA256=2956F7BC863498DFCC868CE7DF4C9C131A4A5C17B065658456AFEF7566ACE1EE,IMPHASH=D7962312082AAB17974D6817E09E5D7A{89C4FCAF-57DF-6387-6308-000000009402}5892C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Users\Public"