Apparently I’ve gone a couple miles down the unintended path. I don’t see any way forward that doesn’t involve targeted hash cracking. There are enough hints for that to be viable, I’d think, but it hasn’t gotten me anywhere. Maybe I overlooked something in the mountains of mimikatz documentation. I dropped a forensics lib to read the raw flags. I was hoping to get the metadata, but it only returned the contents. I think that should count, since I technically have the flags.
I saw where @egre55 was doing some things with calc.exe, so I’m wondering if a custom exploit is intended, though I don’t see how it could help me now. I guess I’ll go back to the users, since they each seem to have a purpose. I would like to know if the remoteaccess site is involved. A couple open ports make me think it might be, but I haven’t seen anything else to support it. Alright this stream of consciousness has gone on long enough. good talk